Detect Path Interception by PATH Environment Variable in Splunk
Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\evil\net.exe and the PATH includes C:\evil before C:\Windows\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\Environment\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.007 Path Interception by PATH Environment Variable
- Canonical reference
- https://attack.mitre.org/techniques/T1574/007/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
| where TargetObject like "%\\Environment\\Path" OR TargetObject like "%\\Environment\\windir" OR TargetObject like "%\\Environment\\SystemRoot"
| where NOT (Image like "%msiexec.exe" OR Image like "%setup.exe" OR Image like "%services.exe" OR Image like "%svchost.exe")
| eval SuspiciousValue=if(
match(lower(Details), "(temp|appdata|public|users\\\\|programdata)"),
1, 0)
| table _time, host, User, TargetObject, Details, Image, SuspiciousValue
| sort - _timeDetects registry modifications to PATH and related environment variables using Sysmon EventCode 13 (Registry Value Set). Flags modifications that include suspicious directory paths (Temp, AppData, Public, ProgramData) in the PATH value — these are writable directories where an adversary could plant malicious binaries that would take precedence over system utilities.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software installers adding installation directories to PATH
- Development environment setup tools (nvm, pyenv, rbenv) modifying PATH
- Package managers (chocolatey, winget, scoop) adding bin directories to PATH
- Enterprise deployment tools modifying user environment variables
Other platforms for T1574.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PATH Interception via HKCU\Environment windir Override (DarkGate Technique)
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Environment\windir modified to point to TEMP directory. Security Event ID 4657 (if registry auditing enabled). Any subsequent execution of DiskCleanup or other %windir%-dependent utilities would resolve to the TEMP directory.
- Test 2Add Malicious Directory to Beginning of User PATH
Expected signal: Sysmon Event ID 13: HKCU\Environment\Path registry value modified, new value starts with %TEMP%. The modification is persistent across the current user's sessions until reversed. Any new cmd.exe process that doesn't use full path would search TEMP first.
- Test 3Linux PATH Hijacking via ~/.bashrc
Expected signal: File creation events for /tmp/path-hijack/ls (executable in temp directory named as system utility). Modification of ~/.bashrc (shell configuration file). New shell sessions that source ~/.bashrc will execute hijacked ls. Auditd would log the file creation and bashrc modification.
References (4)
Unlock Pro Content
Get the full detection package for T1574.007 including response playbook, investigation guide, and atomic red team tests.