title: Path Interception by PATH Environment Variable (T1574.007)
id: df00tech-t1574-007
status: experimental
description: "Adversaries may intercept execution by placing a malicious binary in an earlier directory of the PATH environment variable than the legitimate binary. When a program calls another program without specifying its full path, the OS searches PATH entries sequentially and executes the first matching binary found. On Windows, if an adversary creates C:\\evil\\net.exe and the PATH includes C:\\evil before C:\\Windows\\System32, the malicious net.exe runs instead of the legitimate one. DarkGate abused this by setting HKCU\\Environment\\windir to a malicious path, causing DiskCleanup scheduled tasks to execute its payload. On Linux/macOS, modifying ~/.bashrc, /etc/profile, or /etc/paths.d achieves similar results. PowerSploit and Empire include PATH interception modules for privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1574/007/
  - https://df00tech.com/detections/T1574.007
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installers legitimately adding their installation directory to the PATH variable
  - "Developer tools (Node.js, Python, Go, Rust toolchain) adding binary directories to PATH during installation"
  - "Enterprise configuration management tools (Ansible, Chef, Puppet) modifying PATH as part of software provisioning"
  - "Virtual environment tools (virtualenv, conda) that modify PATH to prioritize their own Python interpreter"
level: high