T1574 Hijack Execution Flow Mappings

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574 Hijack Execution Flow
AC-3 Access Enforcement Protects T1574 Hijack Execution Flow
AC-4 Information Flow Enforcement Protects T1574 Hijack Execution Flow
AC-5 Separation of Duties Protects T1574 Hijack Execution Flow
AC-6 Least Privilege Protects T1574 Hijack Execution Flow
CA-7 Continuous Monitoring Protects T1574 Hijack Execution Flow
CA-8 Penetration Testing Protects T1574 Hijack Execution Flow
CM-2 Baseline Configuration Protects T1574 Hijack Execution Flow
CM-5 Access Restrictions for Change Protects T1574 Hijack Execution Flow
CM-6 Configuration Settings Protects T1574 Hijack Execution Flow
CM-7 Least Functionality Protects T1574 Hijack Execution Flow
CM-8 System Component Inventory Protects T1574 Hijack Execution Flow
IA-2 Identification and Authentication (organizational Users) Protects T1574 Hijack Execution Flow
RA-5 Vulnerability Monitoring and Scanning Protects T1574 Hijack Execution Flow
SI-10 Information Input Validation Protects T1574 Hijack Execution Flow
SI-2 Flaw Remediation Protects T1574 Hijack Execution Flow
SI-3 Malicious Code Protection Protects T1574 Hijack Execution Flow
SI-4 System Monitoring Protects T1574 Hijack Execution Flow
SI-7 Software, Firmware, and Information Integrity Protects T1574 Hijack Execution Flow
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574 Hijack Execution Flow
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1574.007 Path Interception by PATH Environment Variable 16
T1574.011 Services Registry Permissions Weakness 3
T1574.001 DLL Search Order Hijacking 13
T1574.008 Path Interception by Search Order Hijacking 16
T1574.006 Dynamic Linker Hijacking 4
T1574.005 Executable Installer File Permissions Weakness 15
T1574.010 Services File Permissions Weakness 13
T1574.013 KernelCallbackTable 7
T1574.009 Path Interception by Unquoted Path 16
T1574.002 DLL Side-Loading 13
T1574.004 Dylib Hijacking 16
T1574.012 COR_PROFILER 10