Description
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.
For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system's legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a Command and Scripting Interpreter.(Citation: ExpressVPN PATH env Windows 2021)
Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, Unix Shell Configuration Modification, or modifying the /etc/paths.d folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
Execution PreventionM1038
Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender A
AuditM1047
Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.
Clean up old Windows Registry keys when so
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit path interceptio... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has checked hard-coded paths of `/etc/sysconfig/` or `/etc/sysconfig/network` prior to execution... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit path interception opportunities in the PATH environme... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) overrides the <code>%windir%</code> environment variable by setting a Registry key, <code>HKEY_CUR... |
References
- Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.
- ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.
- Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.
- Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.
Frequently Asked Questions
What is T1574.007 (Path Interception by PATH Environment Variable)?
T1574.007 is a MITRE ATT&CK technique named 'Path Interception by PATH Environment Variable'. It belongs to the Stealth, Execution tactic(s). Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the...
How can T1574.007 be detected?
Detection of T1574.007 (Path Interception by PATH Environment Variable) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574.007?
There are 3 documented mitigations for T1574.007. Key mitigations include: Restrict File and Directory Permissions, Execution Prevention, Audit.
Which threat groups use T1574.007?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.