Esc
Hijack Execution Flow - T1574
(ATT&CK® Technique)
Definition
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1574["Hijack Execution Flow"] --> |creates| ExecutableFile["Executable File"]; class T1574 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1574 href "/offensive-technique/attack/T1574/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1574["Hijack Execution Flow"] --> |modifies| ServiceApplication["Service Application"]; class T1574 OffensiveTechniqueNode;
class ServiceApplication ArtifactNode; click ServiceApplication href "/dao/artifact/d3f:ServiceApplication";
click T1574 href "/offensive-technique/attack/T1574/"; click ServiceApplication href "/dao/artifact/d3f:ServiceApplication"; T1574["Hijack Execution Flow"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1574 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1574 href "/offensive-technique/attack/T1574/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1574["Hijack Execution Flow"] --> |adds| SharedLibraryFile["Shared Library File"]; class T1574 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1574 href "/offensive-technique/attack/T1574/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1574["Hijack Execution Flow"] --> |may-create| SharedLibraryFile["Shared Library File"]; class T1574 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1574 href "/offensive-technique/attack/T1574/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1574["Hijack Execution Flow"] --> |may-modify| SharedLibraryFile["Shared Library File"]; class T1574 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1574 href "/offensive-technique/attack/T1574/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1574["Hijack Execution Flow"] --> |modifies| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1574 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1574 href "/offensive-technique/attack/T1574/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1574["Hijack Execution Flow"] --> |modifies| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1574 OffensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";
click T1574 href "/offensive-technique/attack/T1574/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1574["Hijack Execution Flow"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
FileEviction["File Eviction"] -.->
| may-evict | T1574["Hijack Execution Flow"] ;
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1574["Hijack Execution Flow"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | ServiceApplication["Service Application"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1574["Hijack Execution Flow"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class ServiceApplication ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1574["Hijack Execution Flow"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1574["Hijack Execution Flow"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1574["Hijack Execution Flow"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreSoftware["Restore Software"] -->
| restores | ServiceApplication["Service Application"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1574["Hijack Execution Flow"] ;
class RestoreSoftware DefensiveTechniqueNode;
class ServiceApplication ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
RestoreFile["Restore File"] -.->
| may-restore | T1574["Hijack Execution Flow"] ;
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1574["Hijack Execution Flow"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
SystemInitConfigAnalysis["System Init Config Analysis"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | ServiceApplication["Service Application"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1574["Hijack Execution Flow"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class ServiceApplication ArtifactNode;
click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1574["Hijack Execution Flow"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";