T1574 Hijack Execution Flow Mappings

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574 Hijack Execution Flow
AC-3 Access Enforcement Protects T1574 Hijack Execution Flow
AC-4 Information Flow Enforcement Protects T1574 Hijack Execution Flow
AC-5 Separation of Duties Protects T1574 Hijack Execution Flow
AC-6 Least Privilege Protects T1574 Hijack Execution Flow
CA-7 Continuous Monitoring Protects T1574 Hijack Execution Flow
CA-8 Penetration Testing Protects T1574 Hijack Execution Flow
CM-2 Baseline Configuration Protects T1574 Hijack Execution Flow
CM-5 Access Restrictions for Change Protects T1574 Hijack Execution Flow
CM-6 Configuration Settings Protects T1574 Hijack Execution Flow
CM-7 Least Functionality Protects T1574 Hijack Execution Flow
CM-8 System Component Inventory Protects T1574 Hijack Execution Flow
IA-2 Identification and Authentication (organizational Users) Protects T1574 Hijack Execution Flow
RA-5 Vulnerability Monitoring and Scanning Protects T1574 Hijack Execution Flow
SI-10 Information Input Validation Protects T1574 Hijack Execution Flow
SI-2 Flaw Remediation Protects T1574 Hijack Execution Flow
SI-3 Malicious Code Protection Protects T1574 Hijack Execution Flow
SI-4 System Monitoring Protects T1574 Hijack Execution Flow
SI-7 Software, Firmware, and Information Integrity Protects T1574 Hijack Execution Flow
azure_sentinel Azure Sentinel technique_scores T1574 Hijack Execution Flow
file_integrity_monitoring File Integrity Monitoring technique_scores T1574 Hijack Execution Flow
azure_defender_for_app_service Azure Defender for App Service technique_scores T1574 Hijack Execution Flow

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1574.012 COR_PROFILER 9
T1574.001 DLL Search Order Hijacking 11
T1574.002 DLL Side-Loading 15
T1574.004 Dylib Hijacking 13
T1574.005 Executable Installer File Permissions Weakness 12
T1574.006 LD_PRELOAD 4
T1574.007 Path Interception by PATH Environment Variable 18
T1574.008 Path Interception by Search Order Hijacking 18
T1574.009 Path Interception by Unquoted Path 18
T1574.010 Services File Permissions Weakness 12
T1574.011 Services Registry Permissions Weakness 2