EXPLORE
Sign In
← Back to Explore
T1574

Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates pr...

LinuxmacOSWindows
80
Detections
3
Sources
0
Threat Actors

BY SOURCE

73elastic5sigma2splunk_escu

PROCEDURES (48)

General Monitoring6 detections

Auto-extracted: 6 detections for general monitoring

Inject6 detections

Auto-extracted: 6 detections for inject

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Persist4 detections

Auto-extracted: 4 detections for persist

Inject3 detections

Auto-extracted: 3 detections for inject

Service2 detections

Auto-extracted: 2 detections for service

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Service2 detections

Auto-extracted: 2 detections for service

Container2 detections

Auto-extracted: 2 detections for container

Privilege2 detections

Auto-extracted: 2 detections for privilege

Persist2 detections

Auto-extracted: 2 detections for persist

Persist2 detections

Auto-extracted: 2 detections for persist

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Startup2 detections

Auto-extracted: 2 detections for startup

Bypass2 detections

Auto-extracted: 2 detections for bypass

Masquerad2 detections

Auto-extracted: 2 detections for masquerad

Unusual2 detections

Auto-extracted: 2 detections for unusual

Dll Side2 detections

Auto-extracted: 2 detections for dll side

Kernel1 detections

Auto-extracted: 1 detections for kernel

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Registry1 detections

Auto-extracted: 1 detections for registry

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Privilege1 detections

Auto-extracted: 1 detections for privilege

C21 detections

Auto-extracted: 1 detections for c2

Kernel1 detections

Auto-extracted: 1 detections for kernel

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Kernel1 detections

Auto-extracted: 1 detections for kernel

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Child Process1 detections

Auto-extracted: 1 detections for child process

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Remote1 detections

Auto-extracted: 1 detections for remote

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

DETECTIONS (80)

APT Package Manager Configuration File Creation
elasticlow
Boot File Copy
elasticlow
Deprecated - Adobe Hijack Persistence
elasticlow
Deprecated - Suspicious PrintSpooler Service Executable File Creation
elasticlow
DLL Execution Via Register-cimprovider.exe
sigmamedium
DNF Package Manager Plugin File Creation
elasticlow
DPKG Package Installed by Unusual Parent Process
elasticlow
Dracut Module Creation
elasticlow
Dylib Injection via Process Environment Variables
elastichigh
Dynamic Linker (ld.so) Creation
elasticmedium
Dynamic Linker Copy
elastichigh
Dynamic Linker Creation
elasticmedium
Dynamic Linker Modification Detected via Defend for Containers
elastichigh
Execution via local SxS Shared Module
elasticmedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GRUB Configuration File Creation
elasticlow
GRUB Configuration Generation through Built-in Utilities
elasticlow
Initramfs Extraction via CPIO
elasticlow
Initramfs Unpacking via unmkinitramfs
elasticlow
Modification of Dynamic Linker Preload Shared Object
elasticmedium
Modification of Environment Variable via Unsigned or Untrusted Parent
elasticmedium
NetworkManager Dispatcher Script Creation
elasticlow
Node.js Pre or Post-Install Script Execution
elasticmedium
Persistence via DirectoryService Plugin Modification
elasticmedium
Persistence via TelemetryController Scheduled Task Hijack
elastichigh
Persistence via Update Orchestrator Service Hijack
elastichigh
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential CVE-2025-32463 Nsswitch File Creation
elastichigh
Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt
elasticlow
Potential DLL Side-Loading via Trusted Microsoft Programs
elasticmedium
Potential Exploitation of an Unquoted Service Path Vulnerability
elasticlow
Potential Initial Access via DLL Search Order Hijacking
sigmamedium
Potential Persistence via File Modification
elasticlow
Potential privilege escalation via CVE-2022-38028
elastichigh
Potential Privilege Escalation via InstallerFileTakeOver
elastichigh
Potential Privilege Escalation via PKEXEC
elastichigh
Potential Privilege Escalation via Service ImagePath Modification
elasticmedium
Potential Registry Persistence Attempt Via DbgManagedDebugger
sigmamedium
Potential snap-confine Privilege Escalation via CVE-2026-3888
elastichigh
Potential Sudo Hijacking
elasticmedium
Potential Suspicious File Edit
elasticlow
Potential Windows Session Hijacking via CcmExec
elasticmedium
Privilege Escalation via Windir Environment Variable
elastichigh
Python Path File (pth) Creation
elasticlow
Python Site or User Customize File Creation
elasticlow
Regsvr32 DLL Execution With Uncommon Extension
sigmamedium
RPM Package Installed by Unusual Parent Process
elasticlow
Shared Object Created by Previously Unknown Process
elasticmedium
Signed Proxy Execution via MS Work Folders
elasticmedium
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious APT Package Manager Execution
elasticlow
Suspicious APT Package Manager Network Connection
elasticmedium
Suspicious DLL Loaded for Persistence or Privilege Escalation
elastichigh
Suspicious Dynamic Linker Discovery via od
elastichigh
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious Kworker UID Elevation
elasticmedium
Suspicious Microsoft Antimalware Service Execution
elastichigh
Suspicious Network Connection via systemd
elasticmedium
Suspicious Path Invocation from Command Line
elasticlow
Suspicious Print Spooler Point and Print DLL
elastichigh
Suspicious Printer Driver Empty Manufacturer
sigmahigh
Suspicious Symbolic Link Created
elasticlow
System Binary Symlink to Suspicious Location
elasticlow
UAC Bypass Attempt via Privileged IFileOperation COM Interface
elastichigh
UID Elevation from Previously Unknown Executable
elastichigh
Unsigned DLL Loaded by Svchost
elasticmedium
Unsigned DLL Side-Loading from a Suspicious Folder
elasticmedium
Untrusted DLL Loaded by Azure AD Sync Service
elastichigh
Unusual DPKG Execution
elasticmedium
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
elastichigh
Unusual Persistence via Services Registry
elasticlow
Unusual Preload Environment Variable Process Execution
elasticlow
Unusual Process Modifying GenAI Configuration File
elasticmedium
Windows BitDefender Submission Wizard DLL Sideloading
splunk_escu
Windows Rundll32 Execution With Log.DLL
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh
Yum Package Manager Plugin File Creation
elasticmedium