Rules: PATH Set to Current Directory
The PATH environment variable should always be set to an absolute directory pathing. Referencing the current directory is considered bad practice as it can lead to unintentional file execution or malicious abuse, as with CVE-2021-4034 (pkexec privilege escalation).
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Privilege Escalation |
| Apply Risk to Entities | device_hostname, user_username |
| Signal Name | PATH Variable Set to Current Directory |
| Summary Expression | User: {{user_username}} executed a command on host {{device_hostname}} to set the PATH variable |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0004, _mitreAttackTechnique:T1574, _mitreAttackTechnique:T1574.007 |
| Origin | Field |
|---|---|
| Normalized Schema | commandLine |
| Normalized Schema | device_hostname |
| Normalized Schema | user_username |