Hijack Execution Flow (T1574)

Tactic: stealth, Execution

Tactics: stealth , Execution
Platforms: Linux, macOS, Windows
Reference: attack.mitre.org/techniques/T1574

Description

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

Sub-techniques

How GTK Cyber trains on this

GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth, Execution tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.

Threat Hunting with Data Science → · All training courses

Related techniques

Train your team to detect attacks like this.

GTK Cyber's Threat Hunting with Data Science course is taught by practitioners who detect this stuff for a living.

Explore Threat Hunting Training