MITRE ATT&CK Technique
Description
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing. For example, on Windows if an adversary places a malicious program named "net.exe" in `C:\example path`, which by default precedes `C:\Windows\system32\net.exe` in the PATH environment variable, when "net" is executed from the command-line the `C:\example path` will be called instead of the system's legitimate executable at `C:\Windows\system32\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021) Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-13T14:10:43.424Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may execute their own malicious payloads by '
'hijacking environment variables used to load libraries. The '
'PATH environment variable contains a list of directories '
'(User and System) that the OS searches sequentially through '
'in search of the binary that was called from a script or the '
'command line. \n'
'\n'
'Adversaries can place a malicious program in an earlier entry '
'in the list of directories stored in the PATH environment '
'variable, resulting in the operating system executing the '
'malicious binary rather than the legitimate binary when it '
'searches sequentially through that PATH listing.\n'
'\n'
'For example, on Windows if an adversary places a malicious '
'program named "net.exe" in `C:\\example path`, which by '
'default precedes `C:\\Windows\\system32\\net.exe` in the PATH '
'environment variable, when "net" is executed from the '
'command-line the `C:\\example path` will be called instead of '
"the system's legitimate executable at "
'`C:\\Windows\\system32\\net.exe`. Some methods of executing a '
'program rely on the PATH environment variable to determine '
'the locations that are searched when the path for the program '
'is not given, such as executing programs from a [Command and '
'Scripting '
'Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: '
'ExpressVPN PATH env Windows 2021)\n'
'\n'
'Adversaries may also directly modify the $PATH variable '
'specifying the directories to be searched. An adversary can '
'modify the `$PATH` variable to point to a directory they have '
'write access. When a program using the $PATH variable is '
'called, the OS searches the specified directory and executes '
'the malicious binary. On macOS, this can also be performed '
'through modifying the $HOME variable. These variables can be '
'modified using the command-line, launchctl, [Unix Shell '
'Configuration '
'Modification](https://attack.mitre.org/techniques/T1546/004), '
'or modifying the `/etc/paths.d` folder contents.(Citation: '
'uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS '
'PATH variables)(Citation: Elastic Rules macOS launchctl 2022)',
'external_references': [{'external_id': 'T1574.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1574/007'},
{'description': 'Elastic Security 7.17. (2022, '
'February 1). Modification of '
'Environment Variable via Launchctl. '
'Retrieved September 28, 2023.',
'source_name': 'Elastic Rules macOS launchctl 2022',
'url': 'https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html'},
{'description': 'ExpressVPN Security Team. (2021, '
'November 16). Cybersecurity lessons: '
'A PATH vulnerability in Windows. '
'Retrieved September 28, 2023.',
'source_name': 'ExpressVPN PATH env Windows 2021',
'url': 'https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/'},
{'description': 'Nischay Hegde and Siddartha Malladi. '
'(2023, July 12). PoC Exploit: Fake '
'Proof of Concept with Backdoor '
'Malware. Retrieved September 28, '
'2023.',
'source_name': 'uptycs Fake POC linux malware 2023',
'url': 'https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware'},
{'description': 'Vivek Gite. (2023, August 22). MacOS '
'– Set / Change $PATH Variable '
'Command. Retrieved September 28, '
'2023.',
'source_name': 'nixCraft macOS PATH variables',
'url': 'https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/'}],
'id': 'attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:22.736Z',
'name': 'Path Interception by PATH Environment Variable',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Stefan Kanthak'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'macOS', 'Linux'],
'x_mitre_version': '1.2'}