Detect Path Interception in Sumo Logic CSE
**Deprecated — superseded by T1574.007 (PATH Environment Variable), T1574.008 (Search Order Hijacking), and T1574.009 (Unquoted Path).** Path Interception occurs when an adversary places an executable in a specific filesystem location so that it is resolved and executed instead of the intended system binary. Three distinct variants are covered: **Unquoted Paths:** Service or shortcut paths containing spaces without surrounding quotation marks allow Windows to attempt higher-level path components first during binary resolution. If a service ImagePath is `C:\Program Files\My App\svc.exe` (unquoted), Windows tries `C:\Program.exe` before reaching the intended binary. Adversaries plant malicious executables at these interceptable positions to run with the service's privilege level on next service start or system restart. **PATH Environment Variable Misconfiguration:** If adversary-controlled directories appear in the PATH environment variable before `C:\Windows\system32`, executables placed there with names matching Windows utilities (cmd.exe, net.exe, powershell.exe) will execute preferentially whenever those tools are invoked without a fully qualified path — from scripts, scheduled tasks, or applications. **Search Order Hijacking:** Windows searches the calling application's directory (and the current working directory for cmd.exe invocations) before system directories when resolving unqualified binary names. Placing a malicious binary named after a system tool in an application's working directory causes it to execute instead of the real utility, enabling both persistence and privilege escalation if the calling application runs elevated.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Canonical reference
- https://attack.mitre.org/techniques/T1034/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="os/windows")
| where EventCode in ("1", "13", "4688")
/* Parse Sysmon Process Create fields */
| parse field=EventData "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=EventData "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=EventData "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=EventData "<Data Name='ParentCommandLine'>*</Data>" as ParentCommandLine nodrop
/* Parse Sysmon Registry fields */
| parse field=EventData "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse field=EventData "<Data Name='Details'>*</Data>" as RegistryDetails nodrop
/* Parse account name from either event type */
| parse field=EventData "<Data Name='User'>*</Data>" as AccountName nodrop
| parse field=EventData "<Data Name='SubjectUserName'>*</Data>" as SubjectUserName nodrop
| where
/* Signal 1: System binary name executed outside canonical Windows directories */
(
EventCode in ("1", "4688")
and (
Image matches "*\\cmd.exe" or Image matches "*\\net.exe" or
Image matches "*\\net1.exe" or Image matches "*\\powershell.exe" or
Image matches "*\\ipconfig.exe" or Image matches "*\\whoami.exe" or
Image matches "*\\ping.exe" or Image matches "*\\tasklist.exe" or
Image matches "*\\sc.exe" or Image matches "*\\reg.exe" or
Image matches "*\\msiexec.exe" or Image matches "*\\wscript.exe" or
Image matches "*\\cscript.exe" or Image matches "*\\rundll32.exe" or
Image matches "*\\regsvr32.exe" or Image matches "*\\certutil.exe" or
Image matches "*\\msbuild.exe" or Image matches "*\\wmic.exe" or
Image matches "*\\schtasks.exe" or Image matches "*\\systeminfo.exe" or
Image matches "*\\netstat.exe" or Image matches "*\\bitsadmin.exe"
)
and !(Image matches "C:\\Windows\\*")
and !(Image matches "C:\\Program Files\\*")
and !(Image matches "C:\\Program Files (x86)\\*")
and !(Image matches "C:\\ProgramData\\Microsoft\\*")
)
or
/* Signal 2: PATH environment variable modified to include user-writable location */
(
EventCode == "13"
and (
TargetObject matches "*\\Control\\Session Manager\\Environment\\Path"
or TargetObject matches "*HKCU\\Environment\\Path"
or TargetObject matches "*HKEY_CURRENT_USER\\Environment\\Path"
)
and (
RegistryDetails matches "*C:\\Users\\*"
or RegistryDetails matches "*C:\\Temp\\*"
or RegistryDetails matches "*%USERPROFILE%*"
or RegistryDetails matches "*%TEMP%*"
or RegistryDetails matches "*%TMP%*"
or RegistryDetails matches "*%APPDATA%*"
or RegistryDetails matches "*C:\\Windows\\Temp\\*"
)
)
or
/* Signal 3: Unquoted service ImagePath with spaces */
(
EventCode == "13"
and TargetObject matches "*\\Services\\*\\ImagePath"
and !(RegistryDetails matches "\"*")
and RegistryDetails matches "* *.exe*"
)
| eval SignalType = if(
EventCode in ("1", "4688"), "BinaryNameHijack",
if(
EventCode == "13" and TargetObject matches "*Environment*Path*",
"PATHEnvironmentHijack",
if(
EventCode == "13" and TargetObject matches "*Services*ImagePath*",
"UnquotedServicePath",
"Unknown"
)
)
)
| eval AffectedPath = if(!isNull(Image) and Image != "", Image, TargetObject)
| eval RelevantData = if(!isNull(CommandLine) and CommandLine != "", CommandLine, RegistryDetails)
| eval EffectiveUser = if(!isNull(AccountName) and AccountName != "", AccountName, SubjectUserName)
| table _messageTime, Computer, EffectiveUser, SignalType, AffectedPath, RelevantData, ParentImage, ParentCommandLine
| sort by _messageTime descSumo Logic query detecting T1034 Path Interception across Sysmon EID 1 (process create), EID 13 (registry value set), and Security EID 4688 (process create) events. Covers binary name hijacking via non-standard execution paths, PATH environment variable registry manipulation to insert user-writable directories, and unquoted service ImagePath values with embedded spaces that allow privilege escalation via path component resolution.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing engagements where testers stage binaries in staging directories and use known system utility names as payloads during sanctioned testing windows
- VDI or RDS environments with roaming profiles where user-local application installations place PATH entries pointing to %APPDATA% or %USERPROFILE% directories for personalized toolchain setup
- Legacy or industrial software (SCADA, HMI, medical devices) with service installers from older software generations that do not quote service paths containing spaces, a long-standing Windows packaging defect
Other platforms for T1034
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Vulnerable Unquoted Service Path via Registry
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKLM\SYSTEM\CurrentControlSet\Services\df00techVulnSvc\ImagePath, Details = 'C:\Program Files\Vulnerable App\service.exe' (note: no leading quote character). Initiating process will be reg.exe or the calling shell. Security Event ID 4657 (registry value modified) if object access auditing is enabled.
- Test 2PATH Environment Variable Hijack — Prepend User-Writable Directory
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject = HKEY_CURRENT_USER\Environment\Path, Details contains 'C:\Temp\PathHijackTest' as a prefix before standard system directories. Initiating process will be powershell.exe. If Sysmon registry monitoring is not deployed, Security Event ID 4657 may capture this if SACL auditing is configured on HKCU\Environment.
- Test 3Search Order Hijacking — Rogue Binary in Application Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Temp\SearchOrderTest\net.exe, Image = cmd.exe or the copy command. Sysmon Event ID 1 (Process Create): Image = C:\Temp\SearchOrderTest\net.exe, initiated from cmd.exe with working directory C:\Temp\SearchOrderTest. Note: Windows 10/11 may resolve the fully qualified system net.exe first; result depends on system configuration and whether CurrentDirectory search order applies.
- Test 4Unquoted Path Privilege Escalation Simulation — Interceptable Path Position
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename = C:\Program.exe, Image = cmd.exe or the copy command. Security Event ID 4663 (object access) if file system auditing is enabled on C:\. The file creation at C:\ root is unusual and should stand out in file creation baselines — legitimate software rarely creates executable files directly at the root of the system drive.
References (12)
- https://attack.mitre.org/techniques/T1034/
- https://attack.mitre.org/techniques/T1574/007/
- https://attack.mitre.org/techniques/T1574/008/
- https://attack.mitre.org/techniques/T1574/009/
- https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
- https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
- https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
Unlock Pro Content
Get the full detection package for T1034 including response playbook, investigation guide, and atomic red team tests.