Skip to content

DET0004 Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.

Item Value
ID DET0004
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.007 (Path Interception by PATH Environment Variable)

Analytics

Windows

AN0009

Abnormal modification of the PATH environment variable or registry keys controlling system paths, combined with execution of binaries named after legitimate system tools from user-writable directories. Defender correlates registry modifications, file creation of suspicious binaries, and process execution paths inconsistent with baseline system directories.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
MonitoredRegistryKeys PATH environment keys under HKCU and HKLM to monitor for changes.
SuspiciousBinaryList List of high-value system binaries commonly hijacked (e.g., net.exe, python.exe, powershell.exe).
TimeWindow Correlation window between PATH modification and execution of a hijacked binary.

Linux

AN0010

User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d
Process Creation (DC0032) linux:osquery Execution of binary resolved from $PATH not located in /usr/bin or /bin
Mutable Elements
Field Description
MonitoredShellConfigs Set of shell startup files where PATH changes should be flagged.
AllowedUserBins Directories (e.g., /usr/local/bin) considered safe to avoid FP.

macOS

AN0011

Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog File modification in /etc/paths.d or user shell rc files
Process Creation (DC0032) macos:unifiedlog Process execution path inconsistent with baseline PATH directories
Mutable Elements
Field Description
WatchedPathsDirs Monitor /etc/paths.d and $HOME for unauthorized entries.
TrustedExecutables Baseline applications expected in user PATH directories.