EXPLORE
Sign In
← Back to Explore
T1574.007

Path Interception by PATH Environment Variable

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious bi...

WindowsmacOSLinux
7
Detections
2
Sources
0
Threat Actors

BY SOURCE

5elastic2sigma

PROCEDURES (7)

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

DETECTIONS (7)

Modification of Environment Variable via Unsigned or Untrusted Parent
elasticmedium
Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt
elasticlow
Potential Privilege Escalation via PKEXEC
elastichigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
Privilege Escalation via Windir Environment Variable
elastichigh
Suspicious Path Invocation from Command Line
elasticlow
Trusted Path Bypass via Windows Directory Spoofing
sigmahigh