> For the complete documentation index, see [llms.txt](https://kwcsec.gitbook.io/the-red-team-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kwcsec.gitbook.io/the-red-team-handbook/techniques/privilege-escalation/hijacking-execution/environment-variable-interception.md). # Environment Variable interception The PATH environment variable contains a list of directories which programs rely on to determine the locations of a certain program if the full path to the program is not given. If any directory is listed before the Windows Directory %SystemRoot%\System32, a program may be placed in the directory to hijack execution flow as that folder will be checked first before System32. For example, if c:\path precedes %SystemRoot%\System32, the c:\path folder will be checked for the certain program before it checks system32. If we placed a program in c:\path called powershell.exe, the \ "powershell.exe" in the c:\path folder will be called instead of the powershell.exe in system32. We need 2 requirements to exploit this: 1. PATH contains a writable folder to the attacker 2. The writable folder is before the folder that contains the legit binary Let's first look at the system wide variables with reg: `reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"` ![](/files/-MhA0NhCA8A6oB-aaAHl) As we can see in the above, the document folder precedes the system32 folder. Let's try copying calc renamed to notepad to our documents folder `copy c:\windows\system32\calc.exe c:\Users\front\Documents\notepad.exe` ![](/files/-MhA0xd22SbXYxzXbzV5) now lets open up cmd and try to open notepad. As you can see, calc will popup instead. ![](/files/-MhA17atJG98jQQDytgk) We can modify this to run our malware which will run our shellcode and start notepad.exe at the same time Because this is a system wide variable, any admin user who tries to run notepad will run calc.exe with elevated privileges which can lead to privilege escalation if we the admin user to run our malware. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/privilege-escalation/hijacking-execution/environment-variable-interception.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.