> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1574-hijack-execution-flow/path-interception-by-path-environment-variable.md). # Path Interception by PATH Environment Variable Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called form a script or the command line. The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory %SystemRoot%\System32 (e.g.: C:\Windows\System32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or python), which will be executed when that command is executed from a script or command-line. For example, if C:\example Path precedes C:\Windows\System32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example Path will be called instead of the Windows system "net" when "net" is executed from the command-line. **Example:** It's possible to abuse the %Path% variable environment variable to elevate privileges as long as the user has permissions to (W) Write and it comes **BEFORE** C:\Windows\System32. By using the **set path=** we can set the path we have control of. Let us check our PATH variable and see how it looks ![](/files/-MRhYf_6QCOz303gDYui) Ok so now I will add our malicious payload which in this case it's calc.exe replacing net.exe. ![](/files/-MRhYgM6F9qjB4XMGX5z) We add our new path and make sure this is before C:\Windows\System32. ![](/files/-MRhYhF7UTBGrrbNkR5m) Perfect, now I will run net.exe regularly and Calc should prompt instead. ### Linux Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing. Adversaries may also directly modify the $PATH variable specifying the directories to be searched. Am adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. Notice in my new terminal I've renamed an ELF binary called the same as the "pigz" tool then I utilized the "which" command to tell me where is the binary located at which in this case it's actually now pointing at the new path BEFORE it reaches to the legitimate path then simply calling the tools regularly I would get an execution of CALC
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1574-hijack-execution-flow/path-interception-by-path-environment-variable.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.