Skip to content

DET0564 Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking

Item Value
ID DET0564
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.008 (Path Interception by Search Order Hijacking)

Analytics

Windows

AN1560

Processes executing binaries named after legitimate system utilities (e.g., net.exe, findstr.exe, python.exe) from non-standard or application-specific directories, combined with file creation or modification events for such binaries. Defender correlates file writes in vulnerable directories, process execution paths inconsistent with baseline system paths, and abnormal parent-child relationships in process lineage.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
SuspiciousBinaryList Common system utilities often hijacked (e.g., net.exe, cmd.exe, powershell.exe, python.exe).
MonitoredDirectories Directories where executables should not normally be written (e.g., application folders, user profile subdirs).
TimeWindow Correlation window between file creation and subsequent process execution.
ParentProcessBaseline Expected parent processes for critical system binaries, deviations may indicate hijacking.