T1034

Path Interception

**Deprecated — superseded by T1574.007 (PATH Environment Variable), T1574.008 (Search Order Hijacking), and T1574.009 (Unquoted Path).** Path Interception occurs when an adversary places an executable in a specific filesystem location so that it is resolved and executed instead of the intended system binary. Three distinct variants are covered: **Unquoted Paths:** Service or shortcut paths containing spaces without surrounding quotation marks allow Windows to attempt higher-level path components first during binary resolution. If a service ImagePath is `C:\Program Files\My App\svc.exe` (unquoted), Windows tries `C:\Program.exe` before reaching the intended binary. Adversaries plant malicious executables at these interceptable positions to run with the service's privilege level on next service start or system restart. **PATH Environment Variable Misconfiguration:** If adversary-controlled directories appear in the PATH environment variable before `C:\Windows\system32`, executables placed there with names matching Windows utilities (cmd.exe, net.exe, powershell.exe) will execute preferentially whenever those tools are invoked without a fully qualified path — from scripts, scheduled tasks, or applications. **Search Order Hijacking:** Windows searches the calling application's directory (and the current working directory for cmd.exe invocations) before system directories when resolving unqualified binary names. Placing a malicious binary named after a system tool in an application's working directory causes it to execute instead of the real utility, enabling both persistence and privilege escalation if the calling application runs elevated.

Microsoft Sentinel / Defender

kusto

let SystemBinaryNames = dynamic([
    "cmd.exe", "net.exe", "net1.exe", "powershell.exe", "ipconfig.exe",
    "whoami.exe", "ping.exe", "tasklist.exe", "sc.exe", "reg.exe",
    "msiexec.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
    "certutil.exe", "msbuild.exe", "wmic.exe", "schtasks.exe", "systeminfo.exe",
    "netstat.exe", "arp.exe", "route.exe", "at.exe", "bitsadmin.exe"
]);
// Signal 1: System binary name executed from outside canonical Windows directories
let BinaryNameHijack = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SystemBinaryNames)
| where not (
    FolderPath startswith @"C:\Windows\"
    or FolderPath startswith @"C:\Program Files\"
    or FolderPath startswith @"C:\Program Files (x86)\"
    or FolderPath startswith @"C:\ProgramData\Microsoft\Windows Defender\"
    or FolderPath =~ @"C:\"
)
| extend Signal = "BinaryNameHijack",
         RiskContext = strcat("Process: ", FolderPath, "\\", FileName, " | Parent: ", InitiatingProcessFileName);
// Signal 2: PATH environment variable written to include user-writable or temp directory
let PathModification = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"Control\Session Manager\Environment"
    or RegistryKey has @"HKEY_CURRENT_USER\Environment"
| where RegistryValueName =~ "Path"
| where RegistryValueData has_any (
    @"C:\Users\", @"C:\Temp\", @"C:\ProgramData\",
    "%USERPROFILE%", "%TEMP%", "%TMP%", "%APPDATA%",
    @"C:\Windows\Temp\"
)
| extend Signal = "PATHEnvironmentHijack",
         RiskContext = strcat("New PATH value: ", RegistryValueData);
// Signal 3: Service ImagePath written without quotes containing spaces (unquoted service path)
let UnquotedServicePath = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"\Services\"
| where RegistryValueName =~ "ImagePath"
| where RegistryValueData !startswith "\""
| where RegistryValueData matches regex @"[A-Za-z]:\\.+\s.+\.exe"
| extend Signal = "UnquotedServicePath",
         RiskContext = strcat("Unquoted ImagePath: ", RegistryValueData);
// Union all path interception signals with consistent schema
union
  (BinaryNameHijack
   | project Timestamp, DeviceName, AccountName, Signal, RiskContext,
       AffectedPath = FolderPath,
       ExecutionDetail = ProcessCommandLine,
       InitiatingProcessFileName, InitiatingProcessCommandLine),
  (PathModification
   | project Timestamp, DeviceName,
       AccountName = InitiatingProcessAccountName, Signal, RiskContext,
       AffectedPath = RegistryKey,
       ExecutionDetail = RegistryValueData,
       InitiatingProcessFileName, InitiatingProcessCommandLine),
  (UnquotedServicePath
   | project Timestamp, DeviceName,
       AccountName = InitiatingProcessAccountName, Signal, RiskContext,
       AffectedPath = RegistryKey,
       ExecutionDetail = RegistryValueData,
       InitiatingProcessFileName, InitiatingProcessCommandLine)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Portable application suites (development toolchains, embedded Python/Perl distributions, security scanner bundles) that ship their own cmd.exe, net.exe, or powershell.exe stubs in non-standard install directories
Software installers that temporarily prepend their bin or temp directory to PATH during installation and revert on completion — generates transient PATHEnvironmentHijack signals
Configuration management tools (Chef, Puppet, Ansible WinRM, SCCM) that create service registry entries programmatically, sometimes producing transient unquoted ImagePath values before a subsequent fixup write
Virtualisation and container software (Docker Desktop, VirtualBox, WSL2) that intentionally prepend shim directories to PATH to intercept and redirect tool invocations as a designed feature

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=1
   (Image="*\\cmd.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR
    Image="*\\powershell.exe" OR Image="*\\whoami.exe" OR Image="*\\ping.exe" OR
    Image="*\\sc.exe" OR Image="*\\reg.exe" OR Image="*\\certutil.exe" OR
    Image="*\\msiexec.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR
    Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\schtasks.exe" OR
    Image="*\\systeminfo.exe" OR Image="*\\netstat.exe" OR Image="*\\bitsadmin.exe")
   NOT (Image="C:\\Windows\\*" OR Image="C:\\Program Files\\*" OR
        Image="C:\\Program Files (x86)\\*" OR Image="C:\\ProgramData\\Microsoft\\*"))
  OR
  (EventCode=13
   (TargetObject="*\\Control\\Session Manager\\Environment\\Path" OR
    TargetObject="*HKCU\\Environment\\Path" OR
    TargetObject="*HKEY_CURRENT_USER\\Environment\\Path")
   (Details="*C:\\Users\\*" OR Details="*%USERPROFILE%*" OR Details="*%TEMP%*" OR
    Details="*%TMP%*" OR Details="*C:\\Temp\\*" OR Details="*%APPDATA%*"))
  OR
  (EventCode=13
   TargetObject="*\\Services\\*\\ImagePath"
   NOT Details="\"*"
   (Details="*Program Files*" OR Details="* *.exe"))
)
| eval SignalType=case(
    EventCode="1", "BinaryNameHijack",
    EventCode="13" AND match(TargetObject, "(?i)Environment.*Path$"), "PATHEnvironmentModification",
    EventCode="13" AND match(TargetObject, "(?i)\\\\Services\\\\"), "UnquotedServicePath",
    true(), "Unknown")
| eval AffectedPath=coalesce(Image, TargetObject)
| eval RelevantData=coalesce(CommandLine, Details)
| eval IsUnquotedPath=if(SignalType="UnquotedServicePath" AND match(RelevantData, "^[^\"]"), 1, 0)
| table _time, host, User, SignalType, AffectedPath, RelevantData, ParentImage, ParentCommandLine, IsUnquotedPath
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Portable application suites that ship their own versions of cmd.exe, net.exe, or powershell.exe in non-standard installation directories
Software installers temporarily modifying PATH to include installation staging directories, reverting after setup completes
Configuration management tools (Chef, Puppet, Ansible) creating service entries programmatically with transient unquoted ImagePath values
Virtualisation and container software prepending shim directories to PATH as an intentional design feature for tool override

Elastic Security (EQL)

eql

any where
(
  /* Signal 1: System binary name executed outside canonical Windows paths */
  (
    event.category == "process" and event.type == "start"
    and process.name in~ (
      "cmd.exe", "net.exe", "net1.exe", "powershell.exe", "ipconfig.exe",
      "whoami.exe", "ping.exe", "tasklist.exe", "sc.exe", "reg.exe",
      "msiexec.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
      "certutil.exe", "msbuild.exe", "wmic.exe", "schtasks.exe", "systeminfo.exe",
      "netstat.exe", "arp.exe", "route.exe", "at.exe", "bitsadmin.exe"
    )
    and not (
      process.executable like~ "C:\\Windows\\*"
      or process.executable like~ "C:\\Program Files\\*"
      or process.executable like~ "C:\\Program Files (x86)\\*"
      or process.executable like~ "C:\\ProgramData\\Microsoft\\Windows Defender\\*"
    )
  )
  or
  /* Signal 2: PATH environment variable registry modification to include user-writable paths */
  (
    event.category == "registry"
    and event.type in ("change", "creation")
    and (
      registry.path like~ "*\\Control\\Session Manager\\Environment\\Path"
      or registry.path like~ "*\\HKEY_CURRENT_USER\\Environment\\Path"
      or registry.path like~ "*\\HKCU\\Environment\\Path"
    )
    and (
      registry.data.strings like~ "*C:\\Users\\*"
      or registry.data.strings like~ "*C:\\Temp\\*"
      or registry.data.strings like~ "*C:\\Windows\\Temp\\*"
      or registry.data.strings like~ "*%USERPROFILE%*"
      or registry.data.strings like~ "*%TEMP%*"
      or registry.data.strings like~ "*%TMP%*"
      or registry.data.strings like~ "*%APPDATA%*"
    )
  )
  or
  /* Signal 3: Service ImagePath written without quotes and containing spaces */
  (
    event.category == "registry"
    and event.type in ("change", "creation")
    and registry.path like~ "*\\Services\\*\\ImagePath"
    and not registry.data.strings like~ "\"*"
    and registry.data.strings like~ "* *.exe*"
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security integration (elastic-agent) Winlogbeat with Sysmon module Filebeat Windows module (Security + Sysmon)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Portable application suites (PortableApps.com platform, NirSoft utilities) that bundle renamed copies of system executables within their own install directories for self-contained operation
Developer toolchains (Python pip scripts, Node.js global packages, Go binaries) that legitimately extend PATH via %APPDATA%\Python\Scripts or %USERPROFILE%\go\bin during user-local tool installation
Third-party software installers that write service registry entries with unquoted paths containing spaces before correcting them in a later installation phase, triggering a transient false positive

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  LONG(sourceip) AS HostIP,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN QIDNAME(qid) LIKE '%Process Create%'
         AND "Process Image" NOT LIKE 'C:\Windows\%'
         AND "Process Image" NOT LIKE 'C:\Program Files\%'
         AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      THEN 'BinaryNameHijack'
    WHEN "Registry Key Path" LIKE '%\Control\Session Manager\Environment%'
         OR "Registry Key Path" LIKE '%HKCU\Environment%'
      THEN 'PATHEnvironmentHijack'
    WHEN "Registry Key Path" LIKE '%\Services\%\ImagePath%'
      THEN 'UnquotedServicePath'
    ELSE 'Unknown'
  END AS SignalType,
  COALESCE("Process Image", "Registry Key Path") AS AffectedPath,
  COALESCE("Process CommandLine", "Registry Value Data") AS RelevantDetail
FROM events
WHERE
  devicetime > DATEADD('hour', -24, NOW())
  AND LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM logsourcetypes
    WHERE name LIKE '%Sysmon%' OR name LIKE '%Microsoft Windows%'
  )
  AND (
    /* Signal 1: System binary name executed outside canonical Windows paths (Sysmon EID 1 / Security EID 4688) */
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        "Process Image" LIKE '%\cmd.exe'
        OR "Process Image" LIKE '%\net.exe'
        OR "Process Image" LIKE '%\net1.exe'
        OR "Process Image" LIKE '%\powershell.exe'
        OR "Process Image" LIKE '%\whoami.exe'
        OR "Process Image" LIKE '%\ping.exe'
        OR "Process Image" LIKE '%\tasklist.exe'
        OR "Process Image" LIKE '%\sc.exe'
        OR "Process Image" LIKE '%\reg.exe'
        OR "Process Image" LIKE '%\msiexec.exe'
        OR "Process Image" LIKE '%\wscript.exe'
        OR "Process Image" LIKE '%\cscript.exe'
        OR "Process Image" LIKE '%\rundll32.exe'
        OR "Process Image" LIKE '%\regsvr32.exe'
        OR "Process Image" LIKE '%\certutil.exe'
        OR "Process Image" LIKE '%\schtasks.exe'
        OR "Process Image" LIKE '%\systeminfo.exe'
        OR "Process Image" LIKE '%\netstat.exe'
        OR "Process Image" LIKE '%\bitsadmin.exe'
      )
      AND "Process Image" NOT LIKE 'C:\Windows\%'
      AND "Process Image" NOT LIKE 'C:\Program Files\%'
      AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      AND "Process Image" NOT LIKE 'C:\ProgramData\Microsoft\%'
    )
    OR
    /* Signal 2: PATH environment variable registry key modified to include user-writable path */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND (
        "Registry Key Path" LIKE '%\Control\Session Manager\Environment'
        OR "Registry Key Path" LIKE '%HKCU\Environment'
        OR "Registry Key Path" LIKE '%HKEY_CURRENT_USER\Environment'
      )
      AND "Registry Value Name" = 'Path'
      AND (
        "Registry Value Data" LIKE '%C:\Users\%'
        OR "Registry Value Data" LIKE '%C:\Temp\%'
        OR "Registry Value Data" LIKE '%%USERPROFILE%%'
        OR "Registry Value Data" LIKE '%%TEMP%%'
        OR "Registry Value Data" LIKE '%%APPDATA%%'
        OR "Registry Value Data" LIKE '%C:\Windows\Temp\%'
      )
    )
    OR
    /* Signal 3: Service ImagePath set without surrounding quotes and containing spaces */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND "Registry Key Path" LIKE '%\Services\%'
      AND "Registry Value Name" = 'ImagePath'
      AND "Registry Value Data" NOT LIKE '"%'
      AND "Registry Value Data" LIKE '% %.exe%'
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM with Windows Sysmon DSM Microsoft Windows Security Event Log DSM QRadar Custom Event Properties for Sysmon fields

Required Tables

events

False Positives

Security scanning and IR tooling (Sysinternals Suite, Velociraptor, Kape) run ad-hoc by analysts from Downloads or Desktop directories using names that match system utilities
Enterprise software package managers (Chocolatey, Scoop) that install tool shims in user-local directories and add those directories to system or user PATH during normal package installation
Legitimate embedded or OEM software that ships with poorly constructed service installers omitting path quoting, particularly older industrial control or point-of-sale software

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="os/windows")
| where EventCode in ("1", "13", "4688")
/* Parse Sysmon Process Create fields */
| parse field=EventData "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=EventData "<Data Name='ParentCommandLine'>*</Data>" as ParentCommandLine nodrop
/* Parse Sysmon Registry fields */
| parse field=EventData "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse field=EventData "<Data Name='Details'>*</Data>" as RegistryDetails nodrop
/* Parse account name from either event type */
| parse field=EventData "<Data Name='User'>*</Data>" as AccountName nodrop
| parse field=EventData "<Data Name='SubjectUserName'>*</Data>" as SubjectUserName nodrop
| where
  /* Signal 1: System binary name executed outside canonical Windows directories */
  (
    EventCode in ("1", "4688")
    and (
      Image matches "*\\cmd.exe" or Image matches "*\\net.exe" or
      Image matches "*\\net1.exe" or Image matches "*\\powershell.exe" or
      Image matches "*\\ipconfig.exe" or Image matches "*\\whoami.exe" or
      Image matches "*\\ping.exe" or Image matches "*\\tasklist.exe" or
      Image matches "*\\sc.exe" or Image matches "*\\reg.exe" or
      Image matches "*\\msiexec.exe" or Image matches "*\\wscript.exe" or
      Image matches "*\\cscript.exe" or Image matches "*\\rundll32.exe" or
      Image matches "*\\regsvr32.exe" or Image matches "*\\certutil.exe" or
      Image matches "*\\msbuild.exe" or Image matches "*\\wmic.exe" or
      Image matches "*\\schtasks.exe" or Image matches "*\\systeminfo.exe" or
      Image matches "*\\netstat.exe" or Image matches "*\\bitsadmin.exe"
    )
    and !(Image matches "C:\\Windows\\*")
    and !(Image matches "C:\\Program Files\\*")
    and !(Image matches "C:\\Program Files (x86)\\*")
    and !(Image matches "C:\\ProgramData\\Microsoft\\*")
  )
  or
  /* Signal 2: PATH environment variable modified to include user-writable location */
  (
    EventCode == "13"
    and (
      TargetObject matches "*\\Control\\Session Manager\\Environment\\Path"
      or TargetObject matches "*HKCU\\Environment\\Path"
      or TargetObject matches "*HKEY_CURRENT_USER\\Environment\\Path"
    )
    and (
      RegistryDetails matches "*C:\\Users\\*"
      or RegistryDetails matches "*C:\\Temp\\*"
      or RegistryDetails matches "*%USERPROFILE%*"
      or RegistryDetails matches "*%TEMP%*"
      or RegistryDetails matches "*%TMP%*"
      or RegistryDetails matches "*%APPDATA%*"
      or RegistryDetails matches "*C:\\Windows\\Temp\\*"
    )
  )
  or
  /* Signal 3: Unquoted service ImagePath with spaces */
  (
    EventCode == "13"
    and TargetObject matches "*\\Services\\*\\ImagePath"
    and !(RegistryDetails matches "\"*")
    and RegistryDetails matches "* *.exe*"
  )
| eval SignalType = if(
    EventCode in ("1", "4688"), "BinaryNameHijack",
    if(
      EventCode == "13" and TargetObject matches "*Environment*Path*",
      "PATHEnvironmentHijack",
      if(
        EventCode == "13" and TargetObject matches "*Services*ImagePath*",
        "UnquotedServicePath",
        "Unknown"
      )
    )
  )
| eval AffectedPath = if(!isNull(Image) and Image != "", Image, TargetObject)
| eval RelevantData = if(!isNull(CommandLine) and CommandLine != "", CommandLine, RegistryDetails)
| eval EffectiveUser = if(!isNull(AccountName) and AccountName != "", AccountName, SubjectUserName)
| table _messageTime, Computer, EffectiveUser, SignalType, AffectedPath, RelevantData, ParentImage, ParentCommandLine
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector on Windows hosts (windows/sysmon source) Sumo Logic Windows Security source (windows/security) Sumo Logic Cloud Syslog or HTTP Source with Sysmon XML forwarding

Required Tables

Sysmon Operational Event Logs Windows Security Event Logs

False Positives

Authorized red team or penetration testing engagements where testers stage binaries in staging directories and use known system utility names as payloads during sanctioned testing windows
VDI or RDS environments with roaming profiles where user-local application installations place PATH entries pointing to %APPDATA% or %USERPROFILE% directories for personalized toolchain setup
Legacy or industrial software (SCADA, HMI, medical devices) with service installers from older software generations that do not quote service paths containing spaces, a long-standing Windows packaging defect

Google Chronicle / SecOps

yaral

rule t1034_path_interception {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1034 Path Interception: binary name hijacking, PATH environment variable manipulation, and unquoted service paths"
    mitre_attack_technique = "T1034"
    mitre_attack_tactics = "TA0003, TA0004"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1034/"

  events:
    (
      /* Signal 1: System binary name executed outside canonical Windows directories */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex(
          $e.target.process.file.full_path,
          `(?i)\\(cmd|net|net1|powershell|ipconfig|whoami|ping|tasklist|sc|reg|msiexec|wscript|cscript|rundll32|regsvr32|certutil|msbuild|wmic|schtasks|systeminfo|netstat|arp|route|at|bitsadmin)\.exe$`
        )
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Windows\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Program Files\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Program Files \(x86\)\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\ProgramData\\Microsoft\\.+`)
      )
      or
      /* Signal 2: PATH environment variable modified to include user-writable directories */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i)\\Control\\Session Manager\\Environment$`)
          or re.regex($e.target.registry.registry_key, `(?i)(HKCU|HKEY_CURRENT_USER)\\Environment$`)
        )
        and re.regex($e.target.registry.registry_value_name, `(?i)^Path$`)
        and (
          re.regex($e.target.registry.registry_value_data, `(?i)C:\\Users\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)C:\\Temp\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)C:\\Windows\\Temp\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%USERPROFILE%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%TEMP%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%TMP%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%APPDATA%`)
        )
      )
      or
      /* Signal 3: Service ImagePath set without leading quote and containing space before .exe */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and re.regex($e.target.registry.registry_key, `(?i)\\System\\CurrentControlSet\\Services\\[^\\]+\\ImagePath$`)
        and not re.regex($e.target.registry.registry_value_data, `^["']`)
        and re.regex($e.target.registry.registry_value_data, `(?i)[A-Za-z]:\\.+ .+\.exe`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Unified Data Model Chronicle Forwarder on Windows endpoints Microsoft Defender for Endpoint events forwarded to Chronicle via MXDR integration Sysmon logs ingested via Chronicle Windows sensor or Bindplane

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (REGISTRY_MODIFICATION)

False Positives

Windows Subsystem for Linux (WSL2) or Cygwin installations that add user-local binary directories to the Windows PATH during setup, causing expected PATH registry modifications pointing to user profile locations
Build automation systems (Jenkins agents, GitHub Actions runners, TeamCity build agents) that stage test executables named after system utilities in workspace directories and temporarily modify PATH during CI pipeline execution
Legitimate software vendors shipping applications to Program Files subdirectories with unquoted service paths — a widespread historical Windows packaging defect present in many enterprise software titles

CrowdStrike LogScale (CQL)

cql

// T1034 Path Interception — CrowdStrike LogScale (Falcon Data Replicator)
// Signal 1: System binary name hijack — executed outside canonical Windows device paths
(
  #event_simpleName = /^ProcessRollup2$/
  | FileName = /(?i)^(cmd|net|net1|powershell|ipconfig|whoami|ping|tasklist|sc|reg|msiexec|wscript|cscript|rundll32|regsvr32|certutil|msbuild|wmic|schtasks|systeminfo|netstat|arp|route|at|bitsadmin)\.exe$/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Windows\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Program Files\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Program Files \(x86\)\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\ProgramData\\Microsoft\/
  | SignalType := "BinaryNameHijack"
  | AffectedPath := ImageFileName
  | RelevantData := CommandLine
)

// Signal 2: PATH environment variable registry modification to include user-writable location
| union (
  #event_simpleName = /^RegSetValue$/
  | TargetValueName = /(?i)^Path$/
  | (
      RegObjectName = /(?i)\\Control\\Session Manager\\Environment/
      OR RegObjectName = /(?i)HKCU\\Environment/
      OR RegObjectName = /(?i)HKEY_CURRENT_USER\\Environment/
    )
  | (
      RegStringValue = /(?i)C:\\Users\\/
      OR RegStringValue = /(?i)C:\\Temp\\/
      OR RegStringValue = /(?i)C:\\Windows\\Temp\\/
      OR RegStringValue = /(?i)%USERPROFILE%/
      OR RegStringValue = /(?i)%TEMP%/
      OR RegStringValue = /(?i)%TMP%/
      OR RegStringValue = /(?i)%APPDATA%/
    )
  | SignalType := "PATHEnvironmentHijack"
  | AffectedPath := RegObjectName
  | RelevantData := RegStringValue
)

// Signal 3: Unquoted service ImagePath containing spaces
| union (
  #event_simpleName = /^RegSetValue$/
  | TargetValueName = /(?i)^ImagePath$/
  | RegObjectName = /(?i)\\Services\\/
  | RegStringValue != /^"/
  | RegStringValue = /(?i)[A-Za-z]:\\.+ .+\.exe/
  | SignalType := "UnquotedServicePath"
  | AffectedPath := RegObjectName
  | RelevantData := RegStringValue
)

| table([timestamp, ComputerName, UserName, SignalType, AffectedPath, RelevantData, ParentBaseFileName, CommandLine])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (Falcon Data Replicator / FDR) CrowdStrike LogScale with Falcon Event Stream integration Falcon SIEM Connector streaming ProcessRollup2 and RegSetValue events

Required Tables

ProcessRollup2 RegSetValue

False Positives

Authorized adversary simulation exercises using Falcon exclusions where red team operators stage payloads in user-accessible directories using system binary names to test detection coverage
Software development workflows where build systems (MSBuild, CMake, Bazel) produce executables sharing system utility names (e.g., reg.exe output stubs, net.exe wrappers) in project output directories that are temporarily on PATH
Legacy enterprise software (HR systems, ERP platforms, OEM hardware utilities) with service installers that have never been updated to quote service paths, a widespread pre-Windows Vista packaging defect that persists in many production environments

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1034 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Path Interception

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections