title: Path Interception by Search Order Hijacking (T1574.008)
id: df00tech-t1574-008
status: experimental
description: "Adversaries may execute their own malicious payloads by hijacking the search order Windows uses to find programs called without a full path. When an executable calls a program by name only (e.g., 'net user' rather than 'C:\\Windows\\System32\\net.exe user'), Windows first searches the current directory of the calling program, then the directories in PATH. An adversary who places a binary named 'net.exe' or 'net.com' (PATHEXT ordering: .COM before .EXE) in the same directory as the calling application will have their binary executed. Empire and PowerSploit both include modules to discover and exploit search order hijacking vulnerabilities across the system."
references:
  - https://attack.mitre.org/techniques/T1574/008/
  - https://df00tech.com/detections/T1574.008
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Portable versions of system utilities carried by administrators for incident response (e.g., SysInternals tools that include cmd.exe wrappers)"
  - Some virtualization or containerization tools that include renamed system binaries
  - "Development environments that wrap system utilities (e.g., WSL has its own copies of some utilities)"
  - Security testing tools that deliberately rename system binaries for testing purposes
level: high