Esc
Path Interception by Search Order Hijacking - T1574.008
(ATT&CK® Technique)
Definition
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1574008["Path Interception by Search Order Hijacking"] --> |creates| ExecutableFile["Executable File"]; class T1574008 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1574008 href "/offensive-technique/attack/T1574.008/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1574008["Path Interception by Search Order Hijacking"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1574008["Path Interception by Search Order Hijacking"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1574008["Path Interception by Search Order Hijacking"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1574008["Path Interception by Search Order Hijacking"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1574008["Path Interception by Search Order Hijacking"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1574008["Path Interception by Search Order Hijacking"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1574008["Path Interception by Search Order Hijacking"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1574008["Path Interception by Search Order Hijacking"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1574008["Path Interception by Search Order Hijacking"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1574008["Path Interception by Search Order Hijacking"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1574008["Path Interception by Search Order Hijacking"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1574008["Path Interception by Search Order Hijacking"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";