Skip to content

T1574 Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

Item Value
ID T1574
Sub-techniques T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013
Tactics TA0003, TA0004, TA0005
Platforms Linux, Windows, macOS
Version 1.2
Created 12 March 2020
Last Modified 05 May 2022

Procedure Examples

ID Name Description
C0017 C0017 During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.13
S0354 Denis Denis replaces the nonexistent Windows DLL “msfte.dll” with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.10
S0567 Dtrack One of Dtrack can replace the normal flow of a program execution with malicious code.11
S0444 ShimRat ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.12

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.2
M1047 Audit Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.3
M1040 Behavior Prevention on Endpoint Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
M1038 Execution Prevention Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.
M1022 Restrict File and Directory Permissions Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.
M1044 Restrict Library Loading Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.
M1024 Restrict Registry Permissions Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
M1051 Update Software Update software regularly to include patches that fix DLL side-loading vulnerabilities.
M1052 User Account Control Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. 7
M1018 User Account Management Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process Process Creation
DS0019 Service Service Metadata
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. 

  2. Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. 

  3. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  4. Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. 

  5. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017. 

  6. Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014. 

  7. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014. 

  8. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  9. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  10. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  11. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.