Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Hijack | To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) | related-to | T1574 | Hijack Execution Flow | |
| action.hacking.variety.Unknown | Unknown | related-to | T1574 | Hijack Execution Flow | |
| action.hacking.variety.XML injection | XML injection. Child of 'Exploit vuln'. | related-to | T1574 | Hijack Execution Flow |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control can detect hijacked execution flow.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control only addresses a minority of this technique's procedure examples and provides minimal detection of some of its sub-techniques resulting in an overall Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1574 | Hijack Execution Flow |
Comments
Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral
References
|