5 stars based on
Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function.
There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These binary path name for service binary_path_name can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
Service paths stored in Windows Registry keys 2 and shortcut paths are vulnerable to path interception if the path has one or more binary path name for service binary_path_name and is not surrounded by quotation marks e. For example, if the path in a shortcut is C: The PATH environment variable contains a list of directories. Certain methods of executing a program namely using cmd. For example, if C: Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path.
The search order differs depending on the method that is used to execute the program. An adversary who finds a program vulnerable to search order hijacking i. An adversary may place a program called "net.
In addition, if an adversary places a program called "net. Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them 4.
Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate 8. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations 9.
Require that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable.
Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path such as "findstr," "net," and "python". If this activity occurs outside of binary path name for service binary_path_name administration activity, upgrades, binary path name for service binary_path_name, or patches, then it may be suspicious. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Controllearning details about the environment through Discoveryand Lateral Movement.
MS — Fixing a binary hijacking via. Binary path name for service binary_path_name July 25, Retrieved November 30, Help eliminate unquoted path vulnerabilities. Retrieved December 4, Retrieved December 5, Windows NT Command Shell. Retrieved July 27, Vulnerability and Exploit Detector. Retrieved February 3, Retrieved November 18, Windows Commands Abused by Attackers. Retrieved February 2, Retrieved March 31, Application Lockdown with Software Restriction Policies.
Retrieved from " https: Persistence Privilege Escalation Technique. Navigation menu Personal tools Log in. Views Read View form View history. Navigation Main page Help Contribute References. This page was last modified on 11 Januaryat This page has been accessed 5, times.