Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-06.01 | Secure SDLC process | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
References
|
PR.PS-01.08 | End-user device protection | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
DE.CM-09.01 | Software and data integrity checking | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
ID.RA-01.03 | Vulnerability management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
PR.AA-05.01 | Access privilege limitation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
References
|
PR.PS-02.01 | Patch identification and application | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
PR.PS-06.07 | Development and operational process alignment | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2022-3038 | Google Chromium Network Service Use-After-Free Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.
References
|
CVE-2022-41073 | Microsoft Windows Print Spooler Privilege Escalation Vulnerability | secondary_impact | T1574 | Hijack Execution Flow |
Comments
This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities.
The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.
References
|
CVE-2016-1010 | Adobe Flash Player and AIR Integer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability is exploited via an integer overflow.
References
|
CVE-2023-7024 | Google Chromium WebRTC Heap Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
This heap buffer overflow vulnerability is exploited by a remote attacker via a crafted HTML page. This vulnerability has been leveraged by the NSO group to enable remote code execution within a browser's WebRTC component to install the spyware Pegasus on victim endpoints.
References
|
CVE-2023-6549 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This buffer overflow vulnerability can be exploited to cause a denial of service.
References
|
CVE-2023-5217 | Google Chromium libvpx Heap Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware.
References
|
CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
CVE-2023-27997 | Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests.
Adversaries have been observed adding accounts to config files
References
|
CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
CVE-2020-5735 | Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.
References
|
CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|
CVE-2024-21762 | Fortinet FortiOS Out-of-Bound Write Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write. Threat actors have been observed implementing a symbolic link, left behind to maintain read-only access to impacted devices.
References
|
CVE-2025-27363 | FreeType Out-of-Bounds Write Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
Out of bounds write exists in FreeType that has been exploited through malicious font files, causing the application to crash.
References
|
CVE-2022-1040 | Sophos Firewall Authentication Bypass Vulnerability | secondary_impact | T1574 | Hijack Execution Flow |
Comments
This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine.
It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems.
This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia.
This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root.
The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.
References
|
CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Hijack | To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) | related-to | T1574 | Hijack Execution Flow | |
action.hacking.variety.Unknown | Unknown | related-to | T1574 | Hijack Execution Flow | |
action.hacking.variety.XML injection | XML injection. Child of 'Exploit vuln'. | related-to | T1574 | Hijack Execution Flow |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control can detect hijacked execution flow.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1574 | Hijack Execution Flow |
Comments
This control only addresses a minority of this technique's procedure examples and provides minimal detection of some of its sub-techniques resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1574 | Hijack Execution Flow |
Comments
Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral
References
|