Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| TVM-06 | External Library Vulnerabilities | mitigates | T1574 | Hijack Execution Flow |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
For this specific technique, leveraging the program sxstrace.exe that is included with Windows along with manual inspection, to check manifest files for side-loading vulnerabilities in software with the use of vulnerable DLLs.
References
|
| DSP-07 | Data Protection by Design and Default | mitigates | T1574 | Hijack Execution Flow |
Comments
Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. For this technique, adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. To mitigate when possible, include hash values in manifest files to help prevent side-loading of malicious libraries.
References
|