1. Home
  2. ATT&CK Techniques
  3. T1574 Hijack Execution Flow

T1574 Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1574 Hijack Execution Flow
CM-06 Configuration Settings mitigates T1574 Hijack Execution Flow
CM-05 Access Restrictions for Change mitigates T1574 Hijack Execution Flow
SI-02 Flaw Remediation mitigates T1574 Hijack Execution Flow
RA-05 Vulnerability Monitoring and Scanning mitigates T1574 Hijack Execution Flow
CM-08 System Component Inventory mitigates T1574 Hijack Execution Flow
SI-10 Information Input Validation mitigates T1574 Hijack Execution Flow
SI-03 Malicious Code Protection mitigates T1574 Hijack Execution Flow
SI-07 Software, Firmware, and Information Integrity mitigates T1574 Hijack Execution Flow
CM-02 Baseline Configuration mitigates T1574 Hijack Execution Flow
CM-02 Baseline Configuration mitigates T1574 Hijack Execution Flow
IA-02 Identification and Authentication (Organizational Users) mitigates T1574 Hijack Execution Flow
CM-07 Least Functionality mitigates T1574 Hijack Execution Flow
SI-04 System Monitoring mitigates T1574 Hijack Execution Flow
AC-02 Account Management mitigates T1574 Hijack Execution Flow
AC-03 Access Enforcement mitigates T1574 Hijack Execution Flow
AC-04 Information Flow Enforcement mitigates T1574 Hijack Execution Flow
AC-05 Separation of Duties mitigates T1574 Hijack Execution Flow
AC-06 Least Privilege mitigates T1574 Hijack Execution Flow

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574 Hijack Execution Flow
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1574 Hijack Execution Flow
Comments
This control can detect hijacked execution flow.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1574 Hijack Execution Flow
Comments
This control only addresses a minority of this technique's procedure examples and provides minimal detection of some of its sub-techniques resulting in an overall Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1574 Hijack Execution Flow
Comments
Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1574.007 Path Interception by PATH Environment Variable 19
T1574.011 Services Registry Permissions Weakness 3
T1574.001 DLL Search Order Hijacking 14
T1574.014 AppDomainManager 13
T1574.008 Path Interception by Search Order Hijacking 18
T1574.006 Dynamic Linker Hijacking 5
T1574.005 Executable Installer File Permissions Weakness 15
T1574.010 Services File Permissions Weakness 13
T1574.013 KernelCallbackTable 9
T1574.009 Path Interception by Unquoted Path 18
T1574.002 DLL Side-Loading 13
T1574.004 Dylib Hijacking 16
T1574.012 COR_PROFILER 10