T1574.007 Microsoft Sentinel · KQL

Detect Path Interception by PATH Environment Variable in Microsoft Sentinel

Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\evil\net.exe and the PATH includes C:\evil before C:\Windows\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\Environment\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.007 Path Interception by PATH Environment Variable
Canonical reference
https://attack.mitre.org/techniques/T1574/007/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPathChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Environment"
| where RegistryValueName in~ ("PATH", "Path", "windir", "SystemRoot", "TEMP", "TMP")
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "setup.exe", "svchost.exe", "services.exe"))
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName;
SuspiciousPathChanges
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FolderPath !has "C:\\Windows\\"
    | where FolderPath !has "C:\\Program Files"
    | project DeviceId, ProcessId, FileName, FolderPath, AccountName
) on DeviceId
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
high severity medium confidence

Detects PATH environment variable modification via registry changes to HKCU or HKLM Environment keys. Focuses on modifications to PATH, windir, SystemRoot, and temp variables which are commonly abused for path interception. Excludes common legitimate installers. Registry modifications to user environment variables (HKCU) are particularly suspicious as they persist across logon sessions and can affect what executables are found when scripts or scheduled tasks run.

Data Sources

Windows Registry: Registry Key ModificationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceProcessEvents

False Positives & Tuning

  • Software installers legitimately adding their installation directory to the PATH variable
  • Developer tools (Node.js, Python, Go, Rust toolchain) adding binary directories to PATH during installation
  • Enterprise configuration management tools (Ansible, Chef, Puppet) modifying PATH as part of software provisioning
  • Virtual environment tools (virtualenv, conda) that modify PATH to prioritize their own Python interpreter
Download portable Sigma rule (.yml)

Other platforms for T1574.007

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PATH Interception via HKCU\Environment windir Override (DarkGate Technique)

    Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Environment\windir modified to point to TEMP directory. Security Event ID 4657 (if registry auditing enabled). Any subsequent execution of DiskCleanup or other %windir%-dependent utilities would resolve to the TEMP directory.

  2. Test 2Add Malicious Directory to Beginning of User PATH

    Expected signal: Sysmon Event ID 13: HKCU\Environment\Path registry value modified, new value starts with %TEMP%. The modification is persistent across the current user's sessions until reversed. Any new cmd.exe process that doesn't use full path would search TEMP first.

  3. Test 3Linux PATH Hijacking via ~/.bashrc

    Expected signal: File creation events for /tmp/path-hijack/ls (executable in temp directory named as system utility). Modification of ~/.bashrc (shell configuration file). New shell sessions that source ~/.bashrc will execute hijacked ls. Auditd would log the file creation and bashrc modification.

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1574.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1546.004Unix Shell Configuration ModificationT1053.005Scheduled TaskT1548.002Bypass User Account Control

Same Tactic: Persistence

Popular Detections