Environment Variable $Path Interception
It's possible to abuse
$PATH
environment variable to elevate privileges if the variable:- contains a folder that a malicious user can write to
- that folder precedes c:\windows\system32\
Below is an example, showing how c:\temp precedes c:\windows\system32:

Let's make sure c:\temp is (M)odifiable by low privileged users:

Let's now drop our malicious file (calc.exe in this case) into c:\temp and call it cmd.exe:

Now, the next time a high privileged user invokes cmd.exe, our malicious cmd.exe will be invoked from the c:\temp:

This can be very easily abused in environments where software deployment packages call powershell, cmd, cscript and other similar system binaries with
NT SYSTEM
privileges to carry out their tasks.