Path Interception by Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order hijacking, the search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory of the initiating program before searching through the Windows System directory. An adversary who finds a program vulnerable to search order hijacking(i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "" in the same directory as "net.exe", then cmd.exe /C net users will execute "" instead of "net.exe" due to the order of executable extensions defined under PATHEXT.

Search order hijacking is also common practice for hijacking DLL loads.


So in this example I created a simple C++ example.exe application which calls net.exe and uses the arguments net users.

This application is vulnerable to Search order Hijacking as since the program net.exe is not called with it's full path Windows is Searching for the program in its predetermined order that I have mentioned previously, take a look at the code:

I will execute example.exe in a regular directory where there is no malicious hijacking.

As you can see above the child processes from Example it called net.exe and windows found it in the %SystemRoot% Path.

So what happens when the program is called in a directory where there is a similar program named net.exe but it is actually our malicious payload?.

We can see it found our malicious payload that executes calc.exe and it runs that one instead, since one of the first paths it usually takes before finding it in C:\Windows\System32 is the current working directory.

Calc.exe is executed instead.

Last updated