Detections
Analytics
Path Interception by PATH Environment Variable
Description
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Environment Variables | Plugin ID: 92364 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence, Privilege Escalation, Defense Evasion
Technique: Hijack Execution Flow
Sub-Technique: Path Interception by PATH Environment Variable
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q2