1. Home
  2. ATT&CK Techniques
  3. T1574 Hijack Execution Flow

T1574 Hijack Execution Flow Mappings

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574 Hijack Execution Flow
AC-3 Access Enforcement Protects T1574 Hijack Execution Flow
AC-4 Information Flow Enforcement Protects T1574 Hijack Execution Flow
AC-5 Separation of Duties Protects T1574 Hijack Execution Flow
AC-6 Least Privilege Protects T1574 Hijack Execution Flow
CA-7 Continuous Monitoring Protects T1574 Hijack Execution Flow
CA-8 Penetration Testing Protects T1574 Hijack Execution Flow
CM-2 Baseline Configuration Protects T1574 Hijack Execution Flow
CM-5 Access Restrictions for Change Protects T1574 Hijack Execution Flow
CM-6 Configuration Settings Protects T1574 Hijack Execution Flow
CM-7 Least Functionality Protects T1574 Hijack Execution Flow
CM-8 System Component Inventory Protects T1574 Hijack Execution Flow
IA-2 Identification and Authentication (organizational Users) Protects T1574 Hijack Execution Flow
RA-5 Vulnerability Monitoring and Scanning Protects T1574 Hijack Execution Flow
SI-10 Information Input Validation Protects T1574 Hijack Execution Flow
SI-2 Flaw Remediation Protects T1574 Hijack Execution Flow
SI-3 Malicious Code Protection Protects T1574 Hijack Execution Flow
SI-4 System Monitoring Protects T1574 Hijack Execution Flow
SI-7 Software, Firmware, and Information Integrity Protects T1574 Hijack Execution Flow
CVE-2019-12660 Cisco IOS XE Software 3.2.11aSG primary_impact T1574 Hijack Execution Flow
CVE-2018-15376 Cisco IOS Software primary_impact T1574 Hijack Execution Flow
CVE-2020-3198 Cisco IOS 12.2(60)EZ16 primary_impact T1574 Hijack Execution Flow
CVE-2020-3309 Cisco Firepower Threat Defense Software primary_impact T1574 Hijack Execution Flow
CVE-2019-3723 OpenManage Server Administrator secondary_impact T1574 Hijack Execution Flow
CVE-2018-11049 Pivotal Operations Manager primary_impact T1574 Hijack Execution Flow
CVE-2020-5210 NetHack primary_impact T1574 Hijack Execution Flow
CVE-2020-15211 tensorflow primary_impact T1574 Hijack Execution Flow
CVE-2020-15100 freewvs primary_impact T1574 Hijack Execution Flow
CVE-2020-5254 NetHack primary_impact T1574 Hijack Execution Flow
CVE-2020-4068 APNSwift primary_impact T1574 Hijack Execution Flow
CVE-2020-15208 tensorflow primary_impact T1574 Hijack Execution Flow
CVE-2020-11039 FreeRDP primary_impact T1574 Hijack Execution Flow
CVE-2020-15199 tensorflow primary_impact T1574 Hijack Execution Flow
CVE-2020-11068 LoRaMac-node primary_impact T1574 Hijack Execution Flow
CVE-2020-5253 NetHack primary_impact T1574 Hijack Execution Flow
CVE-2018-7499 WebAccess primary_impact T1574 Hijack Execution Flow
CVE-2019-10980 LCDS LAquis SCADA primary_impact T1574 Hijack Execution Flow
CVE-2019-6538 Medtronic Conexus Radio Frequency Telemetry Protocol primary_impact T1574 Hijack Execution Flow
CVE-2018-14819 V-Server primary_impact T1574 Hijack Execution Flow
CVE-2018-10610 LeviStudioU primary_impact T1574 Hijack Execution Flow
CVE-2018-14809 V-Server primary_impact T1574 Hijack Execution Flow
CVE-2018-10636 CNCSoft with ScreenEditor primary_impact T1574 Hijack Execution Flow
CVE-2018-7494 Delta Electronics WPLSoft primary_impact T1574 Hijack Execution Flow
CVE-2019-13522 EZ PLC Editor primary_impact T1574 Hijack Execution Flow
CVE-2018-17910 WebAccess Versions 8.3.2 and prior. primary_impact T1574 Hijack Execution Flow
CVE-2018-8835 Advantech WebAccess HMI Designer primary_impact T1574 Hijack Execution Flow
CVE-2018-10620 InduSoft Web Studio primary_impact T1574 Hijack Execution Flow
CVE-2018-18987 n/a secondary_impact T1574 Hijack Execution Flow
CVE-2019-0911 Internet Explorer 11 primary_impact T1574 Hijack Execution Flow
CVE-2018-8355 ChakraCore primary_impact T1574 Hijack Execution Flow
CVE-2020-0671 Windows primary_impact T1574 Hijack Execution Flow
CVE-2020-0898 Windows primary_impact T1574 Hijack Execution Flow
CVE-2019-1118 Windows primary_impact T1574 Hijack Execution Flow
CVE-2020-1109 Windows primary_impact T1574 Hijack Execution Flow
CVE-2019-0576 Windows 7 primary_impact T1574 Hijack Execution Flow
CVE-2020-1495 Microsoft SharePoint Server 2010 Service Pack 2 primary_impact T1574 Hijack Execution Flow
CVE-2020-1425 Windows 10 Version 2004 for x64-based Systems primary_impact T1574 Hijack Execution Flow
CVE-2018-8248 Microsoft Office primary_impact T1574 Hijack Execution Flow
CVE-2018-8111 Microsoft Edge primary_impact T1574 Hijack Execution Flow
CVE-2020-1569 Microsoft Edge (EdgeHTML-based) primary_impact T1574 Hijack Execution Flow
CVE-2020-16874 Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) primary_impact T1574 Hijack Execution Flow
CVE-2019-0609 Internet Explorer 11 primary_impact T1574 Hijack Execution Flow
CVE-2018-8353 n/a primary_impact T1574 Hijack Execution Flow
CVE-2018-8110 Microsoft Edge primary_impact T1574 Hijack Execution Flow
CVE-2019-1106 Microsoft Edge primary_impact T1574 Hijack Execution Flow
CVE-2019-1035 Microsoft Office primary_impact T1574 Hijack Execution Flow
CVE-2019-0926 Microsoft Edge primary_impact T1574 Hijack Execution Flow
CVE-2019-1052 Microsoft Edge primary_impact T1574 Hijack Execution Flow
CVE-2020-4100 "HCL Verse for Android" uncategorized T1574 Hijack Execution Flow
CVE-2020-0688 Microsoft Exchange Server 2013 uncategorized T1574 Hijack Execution Flow
CVE-2019-0708 Windows uncategorized T1574 Hijack Execution Flow
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1574 Hijack Execution Flow
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1574 Hijack Execution Flow

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1574.012 COR_PROFILER 10
T1574.001 DLL Search Order Hijacking 15
T1574.002 DLL Side-Loading 13
T1574.004 Dylib Hijacking 15
T1574.006 Dynamic Linker Hijacking 4
T1574.005 Executable Installer File Permissions Weakness 14
T1574.007 Path Interception by PATH Environment Variable 16
T1574.008 Path Interception by Search Order Hijacking 19
T1574.009 Path Interception by Unquoted Path 16
T1574.010 Services File Permissions Weakness 13
T1574.011 Services Registry Permissions Weakness 3