Description
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
Search order hijacking is also a common practice for hijacking DLL loads and is covered in DLL.
Platforms
Mitigations (3)
Execution PreventionM1038
Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender A
Restrict File and Directory PermissionsM1022
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
AuditM1047
Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.
Clean up old Windows Registry keys when so
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit search order hijacking vulnerabilities.(Citation: Git... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can discover and exploit search order hij... |
References
- Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.
- Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.
- Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.
- Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.
Frequently Asked Questions
What is T1574.008 (Path Interception by Search Order Hijacking)?
T1574.008 is a MITRE ATT&CK technique named 'Path Interception by Search Order Hijacking'. It belongs to the Stealth, Execution tactic(s). Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may pl...
How can T1574.008 be detected?
Detection of T1574.008 (Path Interception by Search Order Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574.008?
There are 3 documented mitigations for T1574.008. Key mitigations include: Execution Prevention, Restrict File and Directory Permissions, Audit.
Which threat groups use T1574.008?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.