T1574 Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.01 Secure SDLC process Mitigates T1574 Hijack Execution Flow
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
References
    PR.PS-01.08 End-user device protection Mitigates T1574 Hijack Execution Flow
    Comments
    This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
    References
      DE.CM-09.01 Software and data integrity checking Mitigates T1574 Hijack Execution Flow
      Comments
      This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
      References
        ID.RA-01.03 Vulnerability management Mitigates T1574 Hijack Execution Flow
        Comments
        This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
        References
          PR.AA-05.01 Access privilege limitation Mitigates T1574 Hijack Execution Flow
          Comments
          This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
          References
            PR.PS-02.01 Patch identification and application Mitigates T1574 Hijack Execution Flow
            Comments
            This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow.
            References
              PR.PS-01.03 Configuration deviation Mitigates T1574 Hijack Execution Flow
              Comments
              This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1574 Hijack Execution Flow
                Comments
                This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References
                  PR.PS-06.07 Development and operational process alignment Mitigates T1574 Hijack Execution Flow
                  Comments
                  This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
                  References

                    NIST 800-53 Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    CA-07 Continuous Monitoring mitigates T1574 Hijack Execution Flow
                    CM-06 Configuration Settings mitigates T1574 Hijack Execution Flow
                    CM-05 Access Restrictions for Change mitigates T1574 Hijack Execution Flow
                    SI-02 Flaw Remediation mitigates T1574 Hijack Execution Flow
                    RA-05 Vulnerability Monitoring and Scanning mitigates T1574 Hijack Execution Flow
                    CM-08 System Component Inventory mitigates T1574 Hijack Execution Flow
                    SI-10 Information Input Validation mitigates T1574 Hijack Execution Flow
                    SI-03 Malicious Code Protection mitigates T1574 Hijack Execution Flow
                    SI-07 Software, Firmware, and Information Integrity mitigates T1574 Hijack Execution Flow
                    CM-02 Baseline Configuration mitigates T1574 Hijack Execution Flow
                    CM-02 Baseline Configuration mitigates T1574 Hijack Execution Flow
                    IA-02 Identification and Authentication (Organizational Users) mitigates T1574 Hijack Execution Flow
                    CM-07 Least Functionality mitigates T1574 Hijack Execution Flow
                    SI-04 System Monitoring mitigates T1574 Hijack Execution Flow
                    AC-02 Account Management mitigates T1574 Hijack Execution Flow
                    AC-03 Access Enforcement mitigates T1574 Hijack Execution Flow
                    AC-04 Information Flow Enforcement mitigates T1574 Hijack Execution Flow
                    AC-05 Separation of Duties mitigates T1574 Hijack Execution Flow
                    AC-06 Least Privilege mitigates T1574 Hijack Execution Flow

                    Known Exploited Vulnerabilities Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    CVE-2022-3038 Google Chromium Network Service Use-After-Free Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.
                    References
                    CVE-2022-41073 Microsoft Windows Print Spooler Privilege Escalation Vulnerability secondary_impact T1574 Hijack Execution Flow
                    Comments
                    This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.
                    References
                    CVE-2016-1010 Adobe Flash Player and AIR Integer Overflow Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    CVE-2023-7024 Google Chromium WebRTC Heap Buffer Overflow Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    This heap buffer overflow vulnerability is exploited by a remote attacker via a crafted HTML page. This vulnerability has been leveraged by the NSO group to enable remote code execution within a browser's WebRTC component to install the spyware Pegasus on victim endpoints.
                    References
                    CVE-2023-6549 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    Comments
                    This buffer overflow vulnerability can be exploited to cause a denial of service.
                    References
                    CVE-2023-5217 Google Chromium libvpx Heap Buffer Overflow Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware.
                    References
                    CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    CVE-2023-27997 Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    Comments
                    This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files
                    References
                    CVE-2022-42475 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
                    References
                    CVE-2020-5735 Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.
                    References
                    CVE-2017-6742 Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    Comments
                    CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem. Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
                    References
                    CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write. Threat actors have been observed implementing a symbolic link, left behind to maintain read-only access to impacted devices.
                    References
                    CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability primary_impact T1574 Hijack Execution Flow
                    Comments
                    Out of bounds write exists in FreeType that has been exploited through malicious font files, causing the application to crash.
                    References
                    CVE-2022-1040 Sophos Firewall Authentication Bypass Vulnerability secondary_impact T1574 Hijack Execution Flow
                    Comments
                    This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.
                    References
                    CVE-2023-3519 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    Comments
                    This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
                    References
                    CVE-2022-41328 Fortinet FortiOS Path Traversal Vulnerability exploitation_technique T1574 Hijack Execution Flow
                    Comments
                    CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
                    References

                    VERIS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574 Hijack Execution Flow
                    action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
                    action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow

                    Azure Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    microsoft_sentinel Microsoft Sentinel technique_scores T1574 Hijack Execution Flow
                    Comments
                    This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
                    References
                    file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1574 Hijack Execution Flow
                    Comments
                    This control can detect hijacked execution flow.
                    References
                    defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1574 Hijack Execution Flow

                    GCP Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    google_secops Google Security Operations technique_scores T1574 Hijack Execution Flow
                    Comments
                    Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral
                    References

                    ATT&CK Subtechniques

                    Technique ID Technique Name Number of Mappings
                    T1574.007 Path Interception by PATH Environment Variable 21
                    T1574.011 Services Registry Permissions Weakness 4
                    T1574.001 DLL Search Order Hijacking 18
                    T1574.014 AppDomainManager 14
                    T1574.008 Path Interception by Search Order Hijacking 20
                    T1574.006 Dynamic Linker Hijacking 9
                    T1574.005 Executable Installer File Permissions Weakness 16
                    T1574.010 Services File Permissions Weakness 14
                    T1574.013 KernelCallbackTable 11
                    T1574.009 Path Interception by Unquoted Path 20
                    T1574.002 DLL Side-Loading 16
                    T1574.004 Dylib Hijacking 16
                    T1574.012 COR_PROFILER 13