Detect Path Interception by PATH Environment Variable in Sumo Logic CSE
Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\evil\net.exe and the PATH includes C:\evil before C:\Windows\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\Environment\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.007 Path Interception by PATH Environment Variable
- Canonical reference
- https://attack.mitre.org/techniques/T1574/007/
Sumo Detection Query
_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount descSumo Logic detection for Path Interception by PATH Environment Variable. Detects PATH environment variable modification via registry changes to HKCU or HKLM Environment keys. Focuses on modifications to PATH, windir, SystemRoot, and temp variables which are commonly abused
Data Sources
Required Tables
False Positives & Tuning
- Multi-stage installers that legitimately modify components in TEMP during installation
- Enterprise deployment solutions staging installer binaries in temporary locations
- Self-updating applications that patch their own binaries before running them
- Software that extracts and immediately executes components from archives
Other platforms for T1574.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PATH Interception via HKCU\Environment windir Override (DarkGate Technique)
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKCU\Environment\windir modified to point to TEMP directory. Security Event ID 4657 (if registry auditing enabled). Any subsequent execution of DiskCleanup or other %windir%-dependent utilities would resolve to the TEMP directory.
- Test 2Add Malicious Directory to Beginning of User PATH
Expected signal: Sysmon Event ID 13: HKCU\Environment\Path registry value modified, new value starts with %TEMP%. The modification is persistent across the current user's sessions until reversed. Any new cmd.exe process that doesn't use full path would search TEMP first.
- Test 3Linux PATH Hijacking via ~/.bashrc
Expected signal: File creation events for /tmp/path-hijack/ls (executable in temp directory named as system utility). Modification of ~/.bashrc (shell configuration file). New shell sessions that source ~/.bashrc will execute hijacked ls. Auditd would log the file creation and bashrc modification.
References (4)
Unlock Pro Content
Get the full detection package for T1574.007 including response playbook, investigation guide, and atomic red team tests.