Which SIEM platforms have a T1034 detection rule?

df00tech provides T1034 (Path Interception) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1034 detection?

The T1034 detection is rated high severity with medium confidence.

What are common false positives for T1034?

Common false positives for T1034 include: Portable application suites (development toolchains, embedded Python/Perl distributions, security scanner bundles) that ship their own cmd.exe, net.exe, or powershell.exe stubs in non-standard install directories; Software installers that temporarily prepend their bin or temp directory to PATH during installation and revert on completion — generates transient PATHEnvironmentHijack signals; Configuration management tools (Chef, Puppet, Ansible WinRM, SCCM) that create service registry entries programmatically, sometimes producing transient unquoted ImagePath values before a subsequent fixup write.

T1034

Path Interception

Q: What data sources are required to detect Path Interception (T1034)?

Detecting Path Interception requires the following data sources: Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint.

Persistence Privilege Escalation Last updated: April 16, 2026

**Deprecated — superseded by T1574.007 (PATH Environment Variable), T1574.008 (Search Order Hijacking), and T1574.009 (Unquoted Path).** Path Interception occurs when an adversary places an executable in a specific filesystem location so that it is resolved and executed instead of the intended system binary. Three distinct variants are covered: **Unquoted Paths:** Service or shortcut paths containing spaces without surrounding quotation marks allow Windows to attempt higher-level path components first during binary resolution. If a service ImagePath is `C:\Program Files\My App\svc.exe` (unquoted), Windows tries `C:\Program.exe` before reaching the intended binary. Adversaries plant malicious executables at these interceptable positions to run with the service's privilege level on next service start or system restart. **PATH Environment Variable Misconfiguration:** If adversary-controlled directories appear in the PATH environment variable before `C:\Windows\system32`, executables placed there with names matching Windows utilities (cmd.exe, net.exe, powershell.exe) will execute preferentially whenever those tools are invoked without a fully qualified path — from scripts, scheduled tasks, or applications. **Search Order Hijacking:** Windows searches the calling application's directory (and the current working directory for cmd.exe invocations) before system directories when resolving unqualified binary names. Placing a malicious binary named after a system tool in an application's working directory causes it to execute instead of the real utility, enabling both persistence and privilege escalation if the calling application runs elevated.

What is T1034 Path Interception?

Path Interception (T1034) maps to the Persistence and Privilege Escalation tactics — the adversary is trying to maintain their foothold in MITRE ATT&CK.

This page provides production-ready detection logic for Path Interception, covering the data sources and telemetry it touches: Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Canonical reference: https://attack.mitre.org/techniques/T1034/

Microsoft Sentinel / Defender

kusto

let SystemBinaryNames = dynamic([
    "cmd.exe", "net.exe", "net1.exe", "powershell.exe", "ipconfig.exe",
    "whoami.exe", "ping.exe", "tasklist.exe", "sc.exe", "reg.exe",
    "msiexec.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
    "certutil.exe", "msbuild.exe", "wmic.exe", "schtasks.exe", "systeminfo.exe",
    "netstat.exe", "arp.exe", "route.exe", "at.exe", "bitsadmin.exe"
]);
// Signal 1: System binary name executed from outside canonical Windows directories
let BinaryNameHijack = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SystemBinaryNames)
| where not (
    FolderPath startswith @"C:\Windows\"
    or FolderPath startswith @"C:\Program Files\"
    or FolderPath startswith @"C:\Program Files (x86)\"
    or FolderPath startswith @"C:\ProgramData\Microsoft\Windows Defender\"
    or FolderPath =~ @"C:\"
)
| extend Signal = "BinaryNameHijack",
         RiskContext = strcat("Process: ", FolderPath, "\\", FileName, " | Parent: ", InitiatingProcessFileName);
// Signal 2: PATH environment variable written to include user-writable or temp directory
let PathModification = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"Control\Session Manager\Environment"
    or RegistryKey has @"HKEY_CURRENT_USER\Environment"
| where RegistryValueName =~ "Path"
| where RegistryValueData has_any (
    @"C:\Users\", @"C:\Temp\", @"C:\ProgramData\",
    "%USERPROFILE%", "%TEMP%", "%TMP%", "%APPDATA%",
    @"C:\Windows\Temp\"
)
| extend Signal = "PATHEnvironmentHijack",
         RiskContext = strcat("New PATH value: ", RegistryValueData);
// Signal 3: Service ImagePath written without quotes containing spaces (unquoted service path)
let UnquotedServicePath = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"\Services\"
| where RegistryValueName =~ "ImagePath"
| where RegistryValueData !startswith "\""
| where RegistryValueData matches regex @"[A-Za-z]:\\.+\s.+\.exe"
| extend Signal = "UnquotedServicePath",
         RiskContext = strcat("Unquoted ImagePath: ", RegistryValueData);
// Union all path interception signals with consistent schema
union
  (BinaryNameHijack
   | project Timestamp, DeviceName, AccountName, Signal, RiskContext,
       AffectedPath = FolderPath,
       ExecutionDetail = ProcessCommandLine,
       InitiatingProcessFileName, InitiatingProcessCommandLine),
  (PathModification
   | project Timestamp, DeviceName,
       AccountName = InitiatingProcessAccountName, Signal, RiskContext,
       AffectedPath = RegistryKey,
       ExecutionDetail = RegistryValueData,
       InitiatingProcessFileName, InitiatingProcessCommandLine),
  (UnquotedServicePath
   | project Timestamp, DeviceName,
       AccountName = InitiatingProcessAccountName, Signal, RiskContext,
       AffectedPath = RegistryKey,
       ExecutionDetail = RegistryValueData,
       InitiatingProcessFileName, InitiatingProcessCommandLine)
| sort by Timestamp desc

Three-signal detection covering all path interception variants using MDE tables. Signal 1 (BinaryNameHijack) uses DeviceProcessEvents to identify Windows system binary names (cmd.exe, net.exe, powershell.exe, etc.) executing from outside canonical directories (C:\Windows\, Program Files, ProgramData\Microsoft) — the hallmark of search order hijacking or PATH prepend abuse. Signal 2 (PATHEnvironmentHijack) uses DeviceRegistryEvents to detect writes to HKLM or HKCU PATH values that introduce user-writable or temp directories, creating a future binary shadowing opportunity. Signal 3 (UnquotedServicePath) catches service ImagePath registry writes that omit quotation marks around paths containing spaces, leaving the service vulnerable to interception at the next restart.

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Portable application suites (development toolchains, embedded Python/Perl distributions, security scanner bundles) that ship their own cmd.exe, net.exe, or powershell.exe stubs in non-standard install directories
Software installers that temporarily prepend their bin or temp directory to PATH during installation and revert on completion — generates transient PATHEnvironmentHijack signals
Configuration management tools (Chef, Puppet, Ansible WinRM, SCCM) that create service registry entries programmatically, sometimes producing transient unquoted ImagePath values before a subsequent fixup write
Virtualisation and container software (Docker Desktop, VirtualBox, WSL2) that intentionally prepend shim directories to PATH to intercept and redirect tool invocations as a designed feature

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=1
   (Image="*\\cmd.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR
    Image="*\\powershell.exe" OR Image="*\\whoami.exe" OR Image="*\\ping.exe" OR
    Image="*\\sc.exe" OR Image="*\\reg.exe" OR Image="*\\certutil.exe" OR
    Image="*\\msiexec.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR
    Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\schtasks.exe" OR
    Image="*\\systeminfo.exe" OR Image="*\\netstat.exe" OR Image="*\\bitsadmin.exe")
   NOT (Image="C:\\Windows\\*" OR Image="C:\\Program Files\\*" OR
        Image="C:\\Program Files (x86)\\*" OR Image="C:\\ProgramData\\Microsoft\\*"))
  OR
  (EventCode=13
   (TargetObject="*\\Control\\Session Manager\\Environment\\Path" OR
    TargetObject="*HKCU\\Environment\\Path" OR
    TargetObject="*HKEY_CURRENT_USER\\Environment\\Path")
   (Details="*C:\\Users\\*" OR Details="*%USERPROFILE%*" OR Details="*%TEMP%*" OR
    Details="*%TMP%*" OR Details="*C:\\Temp\\*" OR Details="*%APPDATA%*"))
  OR
  (EventCode=13
   TargetObject="*\\Services\\*\\ImagePath"
   NOT Details="\"*"
   (Details="*Program Files*" OR Details="* *.exe"))
)
| eval SignalType=case(
    EventCode="1", "BinaryNameHijack",
    EventCode="13" AND match(TargetObject, "(?i)Environment.*Path$"), "PATHEnvironmentModification",
    EventCode="13" AND match(TargetObject, "(?i)\\\\Services\\\\"), "UnquotedServicePath",
    true(), "Unknown")
| eval AffectedPath=coalesce(Image, TargetObject)
| eval RelevantData=coalesce(CommandLine, Details)
| eval IsUnquotedPath=if(SignalType="UnquotedServicePath" AND match(RelevantData, "^[^\"]"), 1, 0)
| table _time, host, User, SignalType, AffectedPath, RelevantData, ParentImage, ParentCommandLine, IsUnquotedPath
| sort - _time

Three-branch Sysmon-based detection covering all path interception variants. Branch 1 (EventCode=1, Process Create) flags system binary names executing from outside C:\Windows\, Program Files, or ProgramData\Microsoft — indicating search order hijacking or PATH variable abuse. Branch 2 (EventCode=13, RegistryValueSet) identifies modifications to HKLM System or HKCU PATH values that introduce user-writable directories (C:\Users\, %TEMP%, etc.), enabling future binary shadowing. Branch 3 (EventCode=13) catches service ImagePath writes that lack surrounding quotes and contain spaces, marking unquoted path vulnerabilities. Results are tagged by SignalType and the IsUnquotedPath flag aids triage for the service variant.

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Portable application suites that ship their own versions of cmd.exe, net.exe, or powershell.exe in non-standard installation directories
Software installers temporarily modifying PATH to include installation staging directories, reverting after setup completes
Configuration management tools (Chef, Puppet, Ansible) creating service entries programmatically with transient unquoted ImagePath values
Virtualisation and container software prepending shim directories to PATH as an intentional design feature for tool override

Elastic Security (EQL)

eql

any where
(
  /* Signal 1: System binary name executed outside canonical Windows paths */
  (
    event.category == "process" and event.type == "start"
    and process.name in~ (
      "cmd.exe", "net.exe", "net1.exe", "powershell.exe", "ipconfig.exe",
      "whoami.exe", "ping.exe", "tasklist.exe", "sc.exe", "reg.exe",
      "msiexec.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
      "certutil.exe", "msbuild.exe", "wmic.exe", "schtasks.exe", "systeminfo.exe",
      "netstat.exe", "arp.exe", "route.exe", "at.exe", "bitsadmin.exe"
    )
    and not (
      process.executable like~ "C:\\Windows\\*"
      or process.executable like~ "C:\\Program Files\\*"
      or process.executable like~ "C:\\Program Files (x86)\\*"
      or process.executable like~ "C:\\ProgramData\\Microsoft\\Windows Defender\\*"
    )
  )
  or
  /* Signal 2: PATH environment variable registry modification to include user-writable paths */
  (
    event.category == "registry"
    and event.type in ("change", "creation")
    and (
      registry.path like~ "*\\Control\\Session Manager\\Environment\\Path"
      or registry.path like~ "*\\HKEY_CURRENT_USER\\Environment\\Path"
      or registry.path like~ "*\\HKCU\\Environment\\Path"
    )
    and (
      registry.data.strings like~ "*C:\\Users\\*"
      or registry.data.strings like~ "*C:\\Temp\\*"
      or registry.data.strings like~ "*C:\\Windows\\Temp\\*"
      or registry.data.strings like~ "*%USERPROFILE%*"
      or registry.data.strings like~ "*%TEMP%*"
      or registry.data.strings like~ "*%TMP%*"
      or registry.data.strings like~ "*%APPDATA%*"
    )
  )
  or
  /* Signal 3: Service ImagePath written without quotes and containing spaces */
  (
    event.category == "registry"
    and event.type in ("change", "creation")
    and registry.path like~ "*\\Services\\*\\ImagePath"
    and not registry.data.strings like~ "\"*"
    and registry.data.strings like~ "* *.exe*"
  )
)

Detects T1034 Path Interception via three signals using ECS-normalized endpoint and registry events: (1) system utility names (cmd.exe, powershell.exe, etc.) launched from outside canonical Windows directories indicating search order hijacking; (2) PATH environment variable registry keys modified to prepend user-writable or temp directories enabling utility substitution; (3) service ImagePath registry values written unquoted with embedded spaces, creating interception opportunities at higher path components on service restart.

high severity high confidence

Data Sources

Elastic Endpoint Security integration (elastic-agent) Winlogbeat with Sysmon module Filebeat Windows module (Security + Sysmon)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Portable application suites (PortableApps.com platform, NirSoft utilities) that bundle renamed copies of system executables within their own install directories for self-contained operation
Developer toolchains (Python pip scripts, Node.js global packages, Go binaries) that legitimately extend PATH via %APPDATA%\Python\Scripts or %USERPROFILE%\go\bin during user-local tool installation
Third-party software installers that write service registry entries with unquoted paths containing spaces before correcting them in a later installation phase, triggering a transient false positive

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  LONG(sourceip) AS HostIP,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN QIDNAME(qid) LIKE '%Process Create%'
         AND "Process Image" NOT LIKE 'C:\Windows\%'
         AND "Process Image" NOT LIKE 'C:\Program Files\%'
         AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      THEN 'BinaryNameHijack'
    WHEN "Registry Key Path" LIKE '%\Control\Session Manager\Environment%'
         OR "Registry Key Path" LIKE '%HKCU\Environment%'
      THEN 'PATHEnvironmentHijack'
    WHEN "Registry Key Path" LIKE '%\Services\%\ImagePath%'
      THEN 'UnquotedServicePath'
    ELSE 'Unknown'
  END AS SignalType,
  COALESCE("Process Image", "Registry Key Path") AS AffectedPath,
  COALESCE("Process CommandLine", "Registry Value Data") AS RelevantDetail
FROM events
WHERE
  devicetime > DATEADD('hour', -24, NOW())
  AND LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM logsourcetypes
    WHERE name LIKE '%Sysmon%' OR name LIKE '%Microsoft Windows%'
  )
  AND (
    /* Signal 1: System binary name executed outside canonical Windows paths (Sysmon EID 1 / Security EID 4688) */
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        "Process Image" LIKE '%\cmd.exe'
        OR "Process Image" LIKE '%\net.exe'
        OR "Process Image" LIKE '%\net1.exe'
        OR "Process Image" LIKE '%\powershell.exe'
        OR "Process Image" LIKE '%\whoami.exe'
        OR "Process Image" LIKE '%\ping.exe'
        OR "Process Image" LIKE '%\tasklist.exe'
        OR "Process Image" LIKE '%\sc.exe'
        OR "Process Image" LIKE '%\reg.exe'
        OR "Process Image" LIKE '%\msiexec.exe'
        OR "Process Image" LIKE '%\wscript.exe'
        OR "Process Image" LIKE '%\cscript.exe'
        OR "Process Image" LIKE '%\rundll32.exe'
        OR "Process Image" LIKE '%\regsvr32.exe'
        OR "Process Image" LIKE '%\certutil.exe'
        OR "Process Image" LIKE '%\schtasks.exe'
        OR "Process Image" LIKE '%\systeminfo.exe'
        OR "Process Image" LIKE '%\netstat.exe'
        OR "Process Image" LIKE '%\bitsadmin.exe'
      )
      AND "Process Image" NOT LIKE 'C:\Windows\%'
      AND "Process Image" NOT LIKE 'C:\Program Files\%'
      AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      AND "Process Image" NOT LIKE 'C:\ProgramData\Microsoft\%'
    )
    OR
    /* Signal 2: PATH environment variable registry key modified to include user-writable path */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND (
        "Registry Key Path" LIKE '%\Control\Session Manager\Environment'
        OR "Registry Key Path" LIKE '%HKCU\Environment'
        OR "Registry Key Path" LIKE '%HKEY_CURRENT_USER\Environment'
      )
      AND "Registry Value Name" = 'Path'
      AND (
        "Registry Value Data" LIKE '%C:\Users\%'
        OR "Registry Value Data" LIKE '%C:\Temp\%'
        OR "Registry Value Data" LIKE '%%USERPROFILE%%'
        OR "Registry Value Data" LIKE '%%TEMP%%'
        OR "Registry Value Data" LIKE '%%APPDATA%%'
        OR "Registry Value Data" LIKE '%C:\Windows\Temp\%'
      )
    )
    OR
    /* Signal 3: Service ImagePath set without surrounding quotes and containing spaces */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND "Registry Key Path" LIKE '%\Services\%'
      AND "Registry Value Name" = 'ImagePath'
      AND "Registry Value Data" NOT LIKE '"%'
      AND "Registry Value Data" LIKE '% %.exe%'
    )
  )
ORDER BY devicetime DESC

QRadar AQL query detecting T1034 Path Interception across three attack vectors using Windows Sysmon and Security log sources. Identifies system binary name hijacking from non-canonical execution paths (Sysmon EID 1), PATH environment variable registry manipulation to prepend user-writable directories, and unquoted service ImagePath registry values containing spaces. Field names in double quotes (e.g., "Process Image") reference QRadar custom event properties extracted via the Sysmon DSM or a custom parsing rule.

high severity medium confidence

Data Sources

IBM QRadar SIEM with Windows Sysmon DSM Microsoft Windows Security Event Log DSM QRadar Custom Event Properties for Sysmon fields

Required Tables

events

False Positives

Security scanning and IR tooling (Sysinternals Suite, Velociraptor, Kape) run ad-hoc by analysts from Downloads or Desktop directories using names that match system utilities
Enterprise software package managers (Chocolatey, Scoop) that install tool shims in user-local directories and add those directories to system or user PATH during normal package installation
Legitimate embedded or OEM software that ships with poorly constructed service installers omitting path quoting, particularly older industrial control or point-of-sale software

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="os/windows")
| where EventCode in ("1", "13", "4688")
/* Parse Sysmon Process Create fields */
| parse field=EventData "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=EventData "<Data Name='ParentCommandLine'>*</Data>" as ParentCommandLine nodrop
/* Parse Sysmon Registry fields */
| parse field=EventData "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse field=EventData "<Data Name='Details'>*</Data>" as RegistryDetails nodrop
/* Parse account name from either event type */
| parse field=EventData "<Data Name='User'>*</Data>" as AccountName nodrop
| parse field=EventData "<Data Name='SubjectUserName'>*</Data>" as SubjectUserName nodrop
| where
  /* Signal 1: System binary name executed outside canonical Windows directories */
  (
    EventCode in ("1", "4688")
    and (
      Image matches "*\\cmd.exe" or Image matches "*\\net.exe" or
      Image matches "*\\net1.exe" or Image matches "*\\powershell.exe" or
      Image matches "*\\ipconfig.exe" or Image matches "*\\whoami.exe" or
      Image matches "*\\ping.exe" or Image matches "*\\tasklist.exe" or
      Image matches "*\\sc.exe" or Image matches "*\\reg.exe" or
      Image matches "*\\msiexec.exe" or Image matches "*\\wscript.exe" or
      Image matches "*\\cscript.exe" or Image matches "*\\rundll32.exe" or
      Image matches "*\\regsvr32.exe" or Image matches "*\\certutil.exe" or
      Image matches "*\\msbuild.exe" or Image matches "*\\wmic.exe" or
      Image matches "*\\schtasks.exe" or Image matches "*\\systeminfo.exe" or
      Image matches "*\\netstat.exe" or Image matches "*\\bitsadmin.exe"
    )
    and !(Image matches "C:\\Windows\\*")
    and !(Image matches "C:\\Program Files\\*")
    and !(Image matches "C:\\Program Files (x86)\\*")
    and !(Image matches "C:\\ProgramData\\Microsoft\\*")
  )
  or
  /* Signal 2: PATH environment variable modified to include user-writable location */
  (
    EventCode == "13"
    and (
      TargetObject matches "*\\Control\\Session Manager\\Environment\\Path"
      or TargetObject matches "*HKCU\\Environment\\Path"
      or TargetObject matches "*HKEY_CURRENT_USER\\Environment\\Path"
    )
    and (
      RegistryDetails matches "*C:\\Users\\*"
      or RegistryDetails matches "*C:\\Temp\\*"
      or RegistryDetails matches "*%USERPROFILE%*"
      or RegistryDetails matches "*%TEMP%*"
      or RegistryDetails matches "*%TMP%*"
      or RegistryDetails matches "*%APPDATA%*"
      or RegistryDetails matches "*C:\\Windows\\Temp\\*"
    )
  )
  or
  /* Signal 3: Unquoted service ImagePath with spaces */
  (
    EventCode == "13"
    and TargetObject matches "*\\Services\\*\\ImagePath"
    and !(RegistryDetails matches "\"*")
    and RegistryDetails matches "* *.exe*"
  )
| eval SignalType = if(
    EventCode in ("1", "4688"), "BinaryNameHijack",
    if(
      EventCode == "13" and TargetObject matches "*Environment*Path*",
      "PATHEnvironmentHijack",
      if(
        EventCode == "13" and TargetObject matches "*Services*ImagePath*",
        "UnquotedServicePath",
        "Unknown"
      )
    )
  )
| eval AffectedPath = if(!isNull(Image) and Image != "", Image, TargetObject)
| eval RelevantData = if(!isNull(CommandLine) and CommandLine != "", CommandLine, RegistryDetails)
| eval EffectiveUser = if(!isNull(AccountName) and AccountName != "", AccountName, SubjectUserName)
| table _messageTime, Computer, EffectiveUser, SignalType, AffectedPath, RelevantData, ParentImage, ParentCommandLine
| sort by _messageTime desc

Sumo Logic query detecting T1034 Path Interception across Sysmon EID 1 (process create), EID 13 (registry value set), and Security EID 4688 (process create) events. Covers binary name hijacking via non-standard execution paths, PATH environment variable registry manipulation to insert user-writable directories, and unquoted service ImagePath values with embedded spaces that allow privilege escalation via path component resolution.

high severity high confidence

Data Sources

Sumo Logic Installed Collector on Windows hosts (windows/sysmon source) Sumo Logic Windows Security source (windows/security) Sumo Logic Cloud Syslog or HTTP Source with Sysmon XML forwarding

Required Tables

Sysmon Operational Event Logs Windows Security Event Logs

False Positives

Authorized red team or penetration testing engagements where testers stage binaries in staging directories and use known system utility names as payloads during sanctioned testing windows
VDI or RDS environments with roaming profiles where user-local application installations place PATH entries pointing to %APPDATA% or %USERPROFILE% directories for personalized toolchain setup
Legacy or industrial software (SCADA, HMI, medical devices) with service installers from older software generations that do not quote service paths containing spaces, a long-standing Windows packaging defect

Google Chronicle / SecOps

yaral

rule t1034_path_interception {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1034 Path Interception: binary name hijacking, PATH environment variable manipulation, and unquoted service paths"
    mitre_attack_technique = "T1034"
    mitre_attack_tactics = "TA0003, TA0004"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1034/"

  events:
    (
      /* Signal 1: System binary name executed outside canonical Windows directories */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex(
          $e.target.process.file.full_path,
          `(?i)\\(cmd|net|net1|powershell|ipconfig|whoami|ping|tasklist|sc|reg|msiexec|wscript|cscript|rundll32|regsvr32|certutil|msbuild|wmic|schtasks|systeminfo|netstat|arp|route|at|bitsadmin)\.exe$`
        )
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Windows\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Program Files\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\Program Files \(x86\)\\.+`)
        and not re.regex($e.target.process.file.full_path, `(?i)^C:\\ProgramData\\Microsoft\\.+`)
      )
      or
      /* Signal 2: PATH environment variable modified to include user-writable directories */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i)\\Control\\Session Manager\\Environment$`)
          or re.regex($e.target.registry.registry_key, `(?i)(HKCU|HKEY_CURRENT_USER)\\Environment$`)
        )
        and re.regex($e.target.registry.registry_value_name, `(?i)^Path$`)
        and (
          re.regex($e.target.registry.registry_value_data, `(?i)C:\\Users\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)C:\\Temp\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)C:\\Windows\\Temp\\`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%USERPROFILE%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%TEMP%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%TMP%`)
          or re.regex($e.target.registry.registry_value_data, `(?i)%APPDATA%`)
        )
      )
      or
      /* Signal 3: Service ImagePath set without leading quote and containing space before .exe */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and re.regex($e.target.registry.registry_key, `(?i)\\System\\CurrentControlSet\\Services\\[^\\]+\\ImagePath$`)
        and not re.regex($e.target.registry.registry_value_data, `^["']`)
        and re.regex($e.target.registry.registry_value_data, `(?i)[A-Za-z]:\\.+ .+\.exe`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1034 Path Interception using UDM PROCESS_LAUNCH and REGISTRY_MODIFICATION event types. Signal 1 matches system utility names executing from outside C:\Windows, C:\Program Files, or C:\ProgramData\Microsoft using regex on target.process.file.full_path. Signal 2 identifies registry modifications to PATH values under HKLM Environment or HKCU Environment that include user-writable or temp directories. Signal 3 catches unquoted service ImagePath values with embedded spaces that allow Windows path resolution to intercept higher-level path components.

high severity high confidence

Data Sources

Google Chronicle SIEM with Unified Data Model Chronicle Forwarder on Windows endpoints Microsoft Defender for Endpoint events forwarded to Chronicle via MXDR integration Sysmon logs ingested via Chronicle Windows sensor or Bindplane

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (REGISTRY_MODIFICATION)

False Positives

Windows Subsystem for Linux (WSL2) or Cygwin installations that add user-local binary directories to the Windows PATH during setup, causing expected PATH registry modifications pointing to user profile locations
Build automation systems (Jenkins agents, GitHub Actions runners, TeamCity build agents) that stage test executables named after system utilities in workspace directories and temporarily modify PATH during CI pipeline execution
Legitimate software vendors shipping applications to Program Files subdirectories with unquoted service paths — a widespread historical Windows packaging defect present in many enterprise software titles

CrowdStrike LogScale (CQL)

cql

// T1034 Path Interception — CrowdStrike LogScale (Falcon Data Replicator)
// Signal 1: System binary name hijack — executed outside canonical Windows device paths
(
  #event_simpleName = /^ProcessRollup2$/
  | FileName = /(?i)^(cmd|net|net1|powershell|ipconfig|whoami|ping|tasklist|sc|reg|msiexec|wscript|cscript|rundll32|regsvr32|certutil|msbuild|wmic|schtasks|systeminfo|netstat|arp|route|at|bitsadmin)\.exe$/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Windows\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Program Files\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\Program Files \(x86\)\/
  | ImageFileName != /(?i)\\Device\\HarddiskVolume[0-9]+\\ProgramData\\Microsoft\/
  | SignalType := "BinaryNameHijack"
  | AffectedPath := ImageFileName
  | RelevantData := CommandLine
)

// Signal 2: PATH environment variable registry modification to include user-writable location
| union (
  #event_simpleName = /^RegSetValue$/
  | TargetValueName = /(?i)^Path$/
  | (
      RegObjectName = /(?i)\\Control\\Session Manager\\Environment/
      OR RegObjectName = /(?i)HKCU\\Environment/
      OR RegObjectName = /(?i)HKEY_CURRENT_USER\\Environment/
    )
  | (
      RegStringValue = /(?i)C:\\Users\\/
      OR RegStringValue = /(?i)C:\\Temp\\/
      OR RegStringValue = /(?i)C:\\Windows\\Temp\\/
      OR RegStringValue = /(?i)%USERPROFILE%/
      OR RegStringValue = /(?i)%TEMP%/
      OR RegStringValue = /(?i)%TMP%/
      OR RegStringValue = /(?i)%APPDATA%/
    )
  | SignalType := "PATHEnvironmentHijack"
  | AffectedPath := RegObjectName
  | RelevantData := RegStringValue
)

// Signal 3: Unquoted service ImagePath containing spaces
| union (
  #event_simpleName = /^RegSetValue$/
  | TargetValueName = /(?i)^ImagePath$/
  | RegObjectName = /(?i)\\Services\\/
  | RegStringValue != /^"/
  | RegStringValue = /(?i)[A-Za-z]:\\.+ .+\.exe/
  | SignalType := "UnquotedServicePath"
  | AffectedPath := RegObjectName
  | RelevantData := RegStringValue
)

| table([timestamp, ComputerName, UserName, SignalType, AffectedPath, RelevantData, ParentBaseFileName, CommandLine])
| sort(field=timestamp, order=desc)

CrowdStrike LogScale (Humio) query using Falcon Data Replicator event stream to detect T1034 Path Interception. Queries ProcessRollup2 events for system binary names executing outside canonical Windows device path prefixes (accommodating Falcon's \Device\HarddiskVolume notation), RegSetValue events for PATH environment registry keys modified to include user-writable paths, and RegSetValue events for service ImagePath keys written without surrounding quotes containing embedded spaces.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (Falcon Data Replicator / FDR) CrowdStrike LogScale with Falcon Event Stream integration Falcon SIEM Connector streaming ProcessRollup2 and RegSetValue events

Required Tables

ProcessRollup2 RegSetValue

False Positives

Authorized adversary simulation exercises using Falcon exclusions where red team operators stage payloads in user-accessible directories using system binary names to test detection coverage
Software development workflows where build systems (MSBuild, CMake, Bazel) produce executables sharing system utility names (e.g., reg.exe output stubs, net.exe wrappers) in project output directories that are temporarily on PATH
Legacy enterprise software (HR systems, ERP platforms, OEM hardware utilities) with service installers that have never been updated to quote service paths, a widespread pre-Windows Vista packaging defect that persists in many production environments

Sigma rule & cross-platform mapping

The detection logic for Path Interception (T1034) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1034 Sigma rules on detection.fyi

Platform-specific guides for T1034

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (12)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Vulnerable Unquoted Service Path via Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SYSTEM\CurrentControlSet\Services\df00techVulnSvc\ImagePath, Details = 'C:\Program Files\Vulnerable App\service.exe' (note: no leading quote character). Initiating process will be reg.exe or the calling shell. Security Event ID 4657 (registry value modified) if object access auditing is enabled.
Test 2PATH Environment Variable Hijack — Prepend User-Writable Directory
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKEY_CURRENT_USER\Environment\Path, Details contains 'C:\Temp\PathHijackTest' as a prefix before standard system directories. Initiating process will be powershell.exe. If Sysmon registry monitoring is not deployed, Security Event ID 4657 may capture this if SACL auditing is configured on HKCU\Environment.
Test 3Search Order Hijacking — Rogue Binary in Application Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Temp\SearchOrderTest\net.exe, Image = cmd.exe or the copy command. Sysmon Event ID 1 (Process Create): Image = C:\Temp\SearchOrderTest\net.exe, initiated from cmd.exe with working directory C:\Temp\SearchOrderTest. Note: Windows 10/11 may resolve the fully qualified system net.exe first; result depends on system configuration and whether CurrentDirectory search order applies.
Test 4Unquoted Path Privilege Escalation Simulation — Interceptable Path Position
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Program.exe, Image = cmd.exe or the copy command. Security Event ID 4663 (object access) if file system auditing is enabled on C:\. The file creation at C:\ root is unusual and should stand out in file creation baselines — legitimate software rarely creates executable files directly at the root of the system drive.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1034 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Path Interception

What is T1034 Path Interception?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1034

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1034 Path Interception?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1034

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox