T1574.007 IBM QRadar · QRadar

Detect Path Interception by PATH Environment Variable in IBM QRadar

Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\evil\net.exe and the PATH includes C:\evil before C:\Windows\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\Environment\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.007 Path Interception by PATH Environment Variable
Canonical reference
https://attack.mitre.org/techniques/T1574/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL detection for Path Interception by PATH Environment Variable. Detects PATH environment variable modification via registry changes to HKCU or HKLM Environment keys. Focuses on modifications to PATH, windir, SystemRoot, and temp variables which are commonly abused

Data Sources

Sysmon Event ID 1Sysmon Event ID 11

Required Tables

events

False Positives & Tuning

  • Legitimate multi-stage installer processes that modify binaries during installation
  • Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
  • Self-updating applications modifying their own components
  • Antivirus software modifying installer files during remediation
Download portable Sigma rule (.yml)

Other platforms for T1574.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PATH Interception via HKCU\Environment windir Override (DarkGate Technique)

    Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Environment\windir modified to point to TEMP directory. Security Event ID 4657 (if registry auditing enabled). Any subsequent execution of DiskCleanup or other %windir%-dependent utilities would resolve to the TEMP directory.

  2. Test 2Add Malicious Directory to Beginning of User PATH

    Expected signal: Sysmon Event ID 13: HKCU\Environment\Path registry value modified, new value starts with %TEMP%. The modification is persistent across the current user's sessions until reversed. Any new cmd.exe process that doesn't use full path would search TEMP first.

  3. Test 3Linux PATH Hijacking via ~/.bashrc

    Expected signal: File creation events for /tmp/path-hijack/ls (executable in temp directory named as system utility). Modification of ~/.bashrc (shell configuration file). New shell sessions that source ~/.bashrc will execute hijacked ls. Auditd would log the file creation and bashrc modification.

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1574.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1546.004Unix Shell Configuration ModificationT1053.005Scheduled TaskT1548.002Bypass User Account Control

Same Tactic: Persistence

Popular Detections