Detect Path Interception by PATH Environment Variable in Google Chronicle
Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\evil\net.exe and the PATH includes C:\evil before C:\Windows\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\Environment\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.007 Path Interception by PATH Environment Variable
- Canonical reference
- https://attack.mitre.org/techniques/T1574/007/
YARA-L Detection Query
rule T1574_007_hijack_execution {
meta:
author = "Detection Engineering"
description = "Detects execution flow hijacking via installer or DLL path manipulation"
severity = "high"
confidence = "medium"
mitre_attack = "T1574.007"
reference = "https://attack.mitre.org/techniques/T1574/007/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
)
not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
not $e.principal.user.user_display_name = "SYSTEM"
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Path Interception by PATH Environment Variable. Detects PATH environment variable modification via registry changes to HKCU or HKLM Environment keys. Focuses on modifications to PATH, windir, SystemRoot, and temp variables which are commonly abused
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation phases
- Enterprise software deployment tools staging installer components in temp directories
- Self-updating applications that download and replace their own binaries
- Archive utilities that extract executables to temp before running them
Other platforms for T1574.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PATH Interception via HKCU\Environment windir Override (DarkGate Technique)
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Environment\windir modified to point to TEMP directory. Security Event ID 4657 (if registry auditing enabled). Any subsequent execution of DiskCleanup or other %windir%-dependent utilities would resolve to the TEMP directory.
- Test 2Add Malicious Directory to Beginning of User PATH
Expected signal: Sysmon Event ID 13: HKCU\Environment\Path registry value modified, new value starts with %TEMP%. The modification is persistent across the current user's sessions until reversed. Any new cmd.exe process that doesn't use full path would search TEMP first.
- Test 3Linux PATH Hijacking via ~/.bashrc
Expected signal: File creation events for /tmp/path-hijack/ls (executable in temp directory named as system utility). Modification of ~/.bashrc (shell configuration file). New shell sessions that source ~/.bashrc will execute hijacked ls. Auditd would log the file creation and bashrc modification.
References (4)
Unlock Pro Content
Get the full detection package for T1574.007 including response playbook, investigation guide, and atomic red team tests.