T1574.007 Path Interception by PATH Environment Variable
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system “net” when “net” is executed from the command-line.
| Item | Value |
|---|---|
| ID | T1574.007 |
| Sub-techniques | T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013 |
| Tactics | TA0003, TA0004, TA0005 |
| CAPEC ID | CAPEC-13, CAPEC-38 |
| Platforms | Windows |
| Version | 1.0 |
| Created | 13 March 2020 |
| Last Modified | 16 September 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0363 | Empire | Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.10 |
| S0194 | PowerSploit | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.1112 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. |
| M1038 | Execution Prevention | Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.123456 |
| M1022 | Restrict File and Directory Permissions | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014. ↩
-
Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019. ↩
-
Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. ↩
-
NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016. ↩
-
Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014. ↩
-
Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016. ↩
-
Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. ↩
-
Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016. ↩
-
Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩