Path Interception (T1034)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Path Interception

Associated Tactics

  • Persistence
  • Privilege Escalation

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
capec
Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking via .cmd or .bat file. Retrieved July 25, 2016. TechNet MS14-019
Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. Retrieved November 30, 2014. Microsoft Subkey
Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014. Baggett 2012
HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018. SecurityBoulevard Unquoted Services APR 2018
McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018. SploitSpren Windows Priv Jan 2018
Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. Microsoft CreateProcess
Hill, T. (n.d.). Windows NT Command Shell. Retrieved December 5, 2014. Hill NT Shell
Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. Microsoft WinExec
Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016. MSDN Environment Property