Detect Path Interception By Creation Of program.exe


The search is looking for the creation of program.exe in the C: drive. The creation of this file in that location may be driven by a motive to perform path interception.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection


Adversary Tactics

Alert Volume



Stage 3


Privilege Escalation

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response


Detect Path Interception By Creation Of program.exe Help

This search queries the Endpoint file-system data model node to list out all the values of destination machines, as well as the values of file hashes and file paths that have the file "program.exe" in the C: drive. Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of by the intended target. In this case, applications vulnerable to path interception (because of unquoted service paths with spaces in Windows registry) allow attackers to execute maliciously crafted program.exes.