Path Interception by PATH Environment Variable


Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBEnvironment VariablesPlugin ID: 92364


Microsoft Windows Environment Variables

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Persistence, Privilege Escalation, Defense Evasion

Platform: Windows

Tenable Release Date: 2022 Q2