title: Path Interception (T1034)
id: df00tech-t1034
status: experimental
description: "**Deprecated — superseded by T1574.007 (PATH Environment Variable), T1574.008 (Search Order Hijacking), and T1574.009 (Unquoted Path).** Path Interception occurs when an adversary places an executable in a specific filesystem location so that it is resolved and executed instead of the intended system binary. Three distinct variants are covered: **Unquoted Paths:** Service or shortcut paths containing spaces without surrounding quotation marks allow Windows to attempt higher-level path components first during binary resolution. If a service ImagePath is `C:\\Program Files\\My App\\svc.exe` (unquoted), Windows tries `C:\\Program.exe` before reaching the intended binary. Adversaries plant malicious executables at these interceptable positions to run with the service's privilege level on next service start or system restart. **PATH Environment Variable Misconfiguration:** If adversary-controlled directories appear in the PATH environment variable before `C:\\Windows\\system32`, executables placed there with names matching Windows utilities (cmd.exe, net.exe, powershell.exe) will execute preferentially whenever those tools are invoked without a fully qualified path — from scripts, scheduled tasks, or applications. **Search Order Hijacking:** Windows searches the calling application's directory (and the current working directory for cmd.exe invocations) before system directories when resolving unqualified binary names. Placing a malicious binary named after a system tool in an application's working directory causes it to execute instead of the real utility, enabling both persistence and privilege escalation if the calling application runs elevated."
references:
  - https://attack.mitre.org/techniques/T1034/
  - https://df00tech.com/detections/T1034
author: df00tech
date: 2026/04/16
tags:
  - attack.t1034
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Portable application suites (development toolchains, embedded Python/Perl distributions, security scanner bundles) that ship their own cmd.exe, net.exe, or powershell.exe stubs in non-standard install directories"
  - Software installers that temporarily prepend their bin or temp directory to PATH during installation and revert on completion — generates transient PATHEnvironmentHijack signals
  - "Configuration management tools (Chef, Puppet, Ansible WinRM, SCCM) that create service registry entries programmatically, sometimes producing transient unquoted ImagePath values before a subsequent fixup write"
  - "Virtualisation and container software (Docker Desktop, VirtualBox, WSL2) that intentionally prepend shim directories to PATH to intercept and redirect tool invocations as a designed feature"
level: high