$PATH interception
Requirements:
PATH contains a writeable folder with low privileges.
The writeable folder is before the folder that contains the legitimate binary.
EXAMPLE:
Because (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder.
Last updated