T1034 IBM QRadar · QRadar

Detect Path Interception in IBM QRadar

**Deprecated — superseded by T1574.007 (PATH Environment Variable), T1574.008 (Search Order Hijacking), and T1574.009 (Unquoted Path).** Path Interception occurs when an adversary places an executable in a specific filesystem location so that it is resolved and executed instead of the intended system binary. Three distinct variants are covered: **Unquoted Paths:** Service or shortcut paths containing spaces without surrounding quotation marks allow Windows to attempt higher-level path components first during binary resolution. If a service ImagePath is `C:\Program Files\My App\svc.exe` (unquoted), Windows tries `C:\Program.exe` before reaching the intended binary. Adversaries plant malicious executables at these interceptable positions to run with the service's privilege level on next service start or system restart. **PATH Environment Variable Misconfiguration:** If adversary-controlled directories appear in the PATH environment variable before `C:\Windows\system32`, executables placed there with names matching Windows utilities (cmd.exe, net.exe, powershell.exe) will execute preferentially whenever those tools are invoked without a fully qualified path — from scripts, scheduled tasks, or applications. **Search Order Hijacking:** Windows searches the calling application's directory (and the current working directory for cmd.exe invocations) before system directories when resolving unqualified binary names. Placing a malicious binary named after a system tool in an application's working directory causes it to execute instead of the real utility, enabling both persistence and privilege escalation if the calling application runs elevated.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Canonical reference
https://attack.mitre.org/techniques/T1034/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  LONG(sourceip) AS HostIP,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN QIDNAME(qid) LIKE '%Process Create%'
         AND "Process Image" NOT LIKE 'C:\Windows\%'
         AND "Process Image" NOT LIKE 'C:\Program Files\%'
         AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      THEN 'BinaryNameHijack'
    WHEN "Registry Key Path" LIKE '%\Control\Session Manager\Environment%'
         OR "Registry Key Path" LIKE '%HKCU\Environment%'
      THEN 'PATHEnvironmentHijack'
    WHEN "Registry Key Path" LIKE '%\Services\%\ImagePath%'
      THEN 'UnquotedServicePath'
    ELSE 'Unknown'
  END AS SignalType,
  COALESCE("Process Image", "Registry Key Path") AS AffectedPath,
  COALESCE("Process CommandLine", "Registry Value Data") AS RelevantDetail
FROM events
WHERE
  devicetime > DATEADD('hour', -24, NOW())
  AND LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM logsourcetypes
    WHERE name LIKE '%Sysmon%' OR name LIKE '%Microsoft Windows%'
  )
  AND (
    /* Signal 1: System binary name executed outside canonical Windows paths (Sysmon EID 1 / Security EID 4688) */
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        "Process Image" LIKE '%\cmd.exe'
        OR "Process Image" LIKE '%\net.exe'
        OR "Process Image" LIKE '%\net1.exe'
        OR "Process Image" LIKE '%\powershell.exe'
        OR "Process Image" LIKE '%\whoami.exe'
        OR "Process Image" LIKE '%\ping.exe'
        OR "Process Image" LIKE '%\tasklist.exe'
        OR "Process Image" LIKE '%\sc.exe'
        OR "Process Image" LIKE '%\reg.exe'
        OR "Process Image" LIKE '%\msiexec.exe'
        OR "Process Image" LIKE '%\wscript.exe'
        OR "Process Image" LIKE '%\cscript.exe'
        OR "Process Image" LIKE '%\rundll32.exe'
        OR "Process Image" LIKE '%\regsvr32.exe'
        OR "Process Image" LIKE '%\certutil.exe'
        OR "Process Image" LIKE '%\schtasks.exe'
        OR "Process Image" LIKE '%\systeminfo.exe'
        OR "Process Image" LIKE '%\netstat.exe'
        OR "Process Image" LIKE '%\bitsadmin.exe'
      )
      AND "Process Image" NOT LIKE 'C:\Windows\%'
      AND "Process Image" NOT LIKE 'C:\Program Files\%'
      AND "Process Image" NOT LIKE 'C:\Program Files (x86)\%'
      AND "Process Image" NOT LIKE 'C:\ProgramData\Microsoft\%'
    )
    OR
    /* Signal 2: PATH environment variable registry key modified to include user-writable path */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND (
        "Registry Key Path" LIKE '%\Control\Session Manager\Environment'
        OR "Registry Key Path" LIKE '%HKCU\Environment'
        OR "Registry Key Path" LIKE '%HKEY_CURRENT_USER\Environment'
      )
      AND "Registry Value Name" = 'Path'
      AND (
        "Registry Value Data" LIKE '%C:\Users\%'
        OR "Registry Value Data" LIKE '%C:\Temp\%'
        OR "Registry Value Data" LIKE '%%USERPROFILE%%'
        OR "Registry Value Data" LIKE '%%TEMP%%'
        OR "Registry Value Data" LIKE '%%APPDATA%%'
        OR "Registry Value Data" LIKE '%C:\Windows\Temp\%'
      )
    )
    OR
    /* Signal 3: Service ImagePath set without surrounding quotes and containing spaces */
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND "Registry Key Path" LIKE '%\Services\%'
      AND "Registry Value Name" = 'ImagePath'
      AND "Registry Value Data" NOT LIKE '"%'
      AND "Registry Value Data" LIKE '% %.exe%'
    )
  )
ORDER BY devicetime DESC
high severity medium confidence

QRadar AQL query detecting T1034 Path Interception across three attack vectors using Windows Sysmon and Security log sources. Identifies system binary name hijacking from non-canonical execution paths (Sysmon EID 1), PATH environment variable registry manipulation to prepend user-writable directories, and unquoted service ImagePath registry values containing spaces. Field names in double quotes (e.g., "Process Image") reference QRadar custom event properties extracted via the Sysmon DSM or a custom parsing rule.

Data Sources

IBM QRadar SIEM with Windows Sysmon DSMMicrosoft Windows Security Event Log DSMQRadar Custom Event Properties for Sysmon fields

Required Tables

events

False Positives & Tuning

  • Security scanning and IR tooling (Sysinternals Suite, Velociraptor, Kape) run ad-hoc by analysts from Downloads or Desktop directories using names that match system utilities
  • Enterprise software package managers (Chocolatey, Scoop) that install tool shims in user-local directories and add those directories to system or user PATH during normal package installation
  • Legitimate embedded or OEM software that ships with poorly constructed service installers omitting path quoting, particularly older industrial control or point-of-sale software
Download portable Sigma rule (.yml)

Other platforms for T1034

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Vulnerable Unquoted Service Path via Registry

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SYSTEM\CurrentControlSet\Services\df00techVulnSvc\ImagePath, Details = 'C:\Program Files\Vulnerable App\service.exe' (note: no leading quote character). Initiating process will be reg.exe or the calling shell. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2PATH Environment Variable Hijack — Prepend User-Writable Directory

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKEY_CURRENT_USER\Environment\Path, Details contains 'C:\Temp\PathHijackTest' as a prefix before standard system directories. Initiating process will be powershell.exe. If Sysmon registry monitoring is not deployed, Security Event ID 4657 may capture this if SACL auditing is configured on HKCU\Environment.

  3. Test 3Search Order Hijacking — Rogue Binary in Application Directory

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Temp\SearchOrderTest\net.exe, Image = cmd.exe or the copy command. Sysmon Event ID 1 (Process Create): Image = C:\Temp\SearchOrderTest\net.exe, initiated from cmd.exe with working directory C:\Temp\SearchOrderTest. Note: Windows 10/11 may resolve the fully qualified system net.exe first; result depends on system configuration and whether CurrentDirectory search order applies.

  4. Test 4Unquoted Path Privilege Escalation Simulation — Interceptable Path Position

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Program.exe, Image = cmd.exe or the copy command. Security Event ID 4663 (object access) if file system auditing is enabled on C:\. The file creation at C:\ root is unusual and should stand out in file creation baselines — legitimate software rarely creates executable files directly at the root of the system drive.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1034 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.001DLLT1574.002DLL Side-LoadingT1543.003Windows ServiceT1546.015Component Object Model HijackingT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Persistence

Popular Detections