Description
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
Platforms
Sub-Techniques (12)
DLL
T1574.004Dylib Hijacking
T1574.005Executable Installer File Permissions Weakness
T1574.006Dynamic Linker Hijacking
T1574.007Path Interception by PATH Environment Variable
T1574.008Path Interception by Search Order Hijacking
T1574.009Path Interception by Unquoted Path
T1574.010Services File Permissions Weakness
T1574.011Services Registry Permissions Weakness
T1574.012COR_PROFILER
T1574.013KernelCallbackTable
T1574.014AppDomainManager
Mitigations (10)
User Account ControlM1052
Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000. Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001. This will prompt for a password
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
Restrict Library LoadingM1044
Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.
Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)
The Safe DLL Search Mode can be enabled via Group Policy a
AuditM1047
Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.(Citation: Powersploit)
Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnera
Application Developer GuidanceM1013
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.(Citation: FireEye DLL Side-Loading)
User Account ManagementM1018
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory
Update SoftwareM1051
Update software regularly to include patches that fix DLL side-loading vulnerabilities.
Execution PreventionM1038
Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.
Restrict File and Directory PermissionsM1022
Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.
Restrict Registry PermissionsM1024
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) edits the Registry key <code>HKCU\Software\Classes\mscfile\shell\open\command</code> to execute a ... |
| S0567 | Dtrack | Malware | One of [Dtrack](https://attack.mitre.org/software/S0567) can replace the normal flow of a program execution with malicious code.(Citation: CyberBit Dt... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary u... |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.(Cita... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) will drop a copy of itself to a subfolder in <code>%Program Data%</code> or <code>%Program ... |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by t... |
| S1147 | Nightdoor | Malware | [Nightdoor](https://attack.mitre.org/software/S1147) uses a legitimate executable to load a malicious DLL file for installation.(Citation: Symantec Da... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) will remove and write malicious shared objects associated with legitimate system functions such ... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) will use the malicious file <code>slideshow.mp4</code> if present to load the core API provided b... |
Frequently Asked Questions
What is T1574 (Hijack Execution Flow)?
T1574 is a MITRE ATT&CK technique named 'Hijack Execution Flow'. It belongs to the Stealth, Execution tactic(s). Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution...
How can T1574 be detected?
Detection of T1574 (Hijack Execution Flow) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574?
There are 10 documented mitigations for T1574. Key mitigations include: User Account Control, Behavior Prevention on Endpoint, Restrict Library Loading, Audit, Application Developer Guidance.
Which threat groups use T1574?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.