Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
intel-vt | Intel Virtualization Technology | Win 11, VBS, Memory Integrity | T1574 | Hijack Execution Flow | Comments
Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard).
Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures).
"HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate."
"Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA."
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
References
|
intel-vt | Intel Virtualization Technology | Win 11, HWESP | T1574 | Hijack Execution Flow | Comments
Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard).
Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures).
"HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate."
"Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA."
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2020-5735 | Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow | Comments
CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.
References
|
CVE-2016-1010 | Adobe Flash Player and AIR Integer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This vulnerability is exploited via an integer overflow.
References
|
CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow | Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
CVE-2024-21762 | Fortinet FortiOS Out-of-Bound Write Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write.
References
|
CVE-2023-27997 | Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests.
Adversaries have been observed adding accounts to config files
References
|
CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
CVE-2023-6549 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This buffer overflow vulnerability can be exploited to cause a denial of service.
References
|
CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow | Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|