T1574: Hijack Execution Flow
| View on MITRE ATT&CK | T1574 |
|---|---|
| Tactic(s) | Defense Evasion, Privilege Escalation, Persistence |
Data from MITRE ATT&CK®:
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Update Software
Perform regular software updates to mitigate exploitation risk.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.User Account Control
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Service Metadata (Service)
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.Sigma Detections for this Technique
Windows Spooler Service Suspicious Binary Load
Potential PrintNightmare Exploitation Attempt
Potential Registry Persistence Attempt Via DbgManagedDebugger
Suspicious Printer Driver Empty Manufacturer
Potential Initial Access via DLL Search Order Hijacking
Regsvr32 DLL Execution With Uncommon Extension
DLL Execution Via Register-cimprovider.exe
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.