Detect Path Interception by Search Order Hijacking in IBM QRadar
Adversaries may execute their own malicious payloads by hijacking the search order Windows uses to find programs called without a full path. When an executable calls a program by name only (e.g., 'net user' rather than 'C:\Windows\System32\net.exe user'), Windows first searches the current directory of the calling program, then the directories in PATH. An adversary who places a binary named 'net.exe' or 'net.com' (PATHEXT ordering: .COM before .EXE) in the same directory as the calling application will have their binary executed. Empire and PowerSploit both include modules to discover and exploit search order hijacking vulnerabilities across the system.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.008 Path Interception by Search Order Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1574/008/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS HostIP, username,
"CommandLine", "Image" AS ProcessImage,
"TargetFilename" AS ModifiedFile,
CASE
WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
ELSE 50
END AS RiskScore,
CASE
WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
ELSE 'Suspicious File Activity'
END AS AlertType
FROM events
WHERE eventid IN (1, 11)
AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
AND username NOT ILIKE '%SYSTEM%'
AND username NOT ILIKE '%TrustedInstaller%'
AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURSQRadar AQL detection for Path Interception by Search Order Hijacking. Detects system binary names (net.exe, cmd.exe, powershell.exe, etc.) executing from non-system directories. Windows search order hijacking relies on a copy of a commonly-invoked binary being placed in
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation
- Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
- Self-updating applications modifying their own components
- Antivirus software modifying installer files during remediation
Other platforms for T1574.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Fake Net.exe in Application Directory
Expected signal: Sysmon Event ID 11 (FileCreate): net.exe created in TEMP subdirectory. If subsequently executed: Sysmon Event ID 1 showing net.exe running from %TEMP%\vulnerable-app rather than System32.
- Test 2Search Order Hijacking via .COM Extension (PATHEXT)
Expected signal: Process creation events showing test.com executed instead of test.exe when called by name only. The CurrentDirectory in the process creation event shows the TEMP directory.
- Test 3PowerSploit Find-PathDLLHijack Discovery
Expected signal: Sysmon Event ID 1: powershell.exe with PATH enumeration command. Sysmon Event ID 11: temporary test files created and deleted in writable PATH directories. PowerShell ScriptBlock Log Event ID 4104 with the enumeration script.
References (4)
- https://attack.mitre.org/techniques/T1574/008/
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md
Unlock Pro Content
Get the full detection package for T1574.008 including response playbook, investigation guide, and atomic red team tests.