detection.wiki

Hijack Execution Flow T1574

Tactics: Stealth, Execution

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Events covered

31 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 6416A new external device was recognized by the system.
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
ESFexecProcess Execution (Notify)
ESFwriteFile Write (NOTIFY)
Linux-AuditdEvent ID 1302PATH
DHCP-ServerEvent ID 1031[EVENT_SERVER_CALLOUT_UNHANDLED_EXCEPTION] The installed server callout .dll file has caused an exception.
DHCP-ServerEvent ID 1032[EVENT_SERVER_CALLOUT_LOAD_EXCEPTION] The installed server callout .dll file has caused an exception. The .dll file couldn't be loaded.
DHCP-ServerEvent ID 1033[EVENT_SERVER_CALLOUT_LOAD_SUCCESS] The DHCP service has successfully loaded one or more callout DLLs.
DHCP-ServerEvent ID 1034[EVENT_SERVER_READ_ONLY_GROUP_ERROR] The DHCP service has failed to load one or more callout DLLs.
DNS-Server-ServiceEvent ID 150The DNS server could not load or initialize the plug-in DLL Name.
DNS-Server-ServiceEvent ID 770A DNS server plugin DLL has been loaded from location param1 on server param2.
DNS-Server-ServiceEvent ID 771The V1 plugin interface has been implemented in server level plugin DLL.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Security-MitigationsEvent ID 11Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.
Security-MitigationsEvent ID 12Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 246 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (97 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image94ends_with 62, starts_with 19, eq 13, contains 11, is_not_null 7, ne 3, in 2, wildcard 2, is_null 1, match 1\sc.exe, \cmd.exe, \reg.exe, c:\windows\system32\, c:\windows\syswow64\
ImageLoaded75ends_with 59, starts_with 35, contains 19, eq 7, in 5, wildcard 3*:\\windows\\system32\\*, *:\\windows\\syswow64\\*, c:\program files (x86)\, c:\program files (x86)\windows kits\, :\program files (x86)\windows kits\10\bin\
event.type49eq 45, ne 3, in 1start, creation, change, deletion, process_started
host.os.type47eq 46, in 1
EventType45eq 22, in 20, starts_with 2, ne 1exec, ProcessRollup2, creation, exec_event, rename
TargetFilename42wildcard 18, starts_with 7, ends_with 6, in 6, contains 5, eq 3, is_not_null 1, regex_match 1/etc/ld.so.preload, .dll, /boot/efi/efi/*/grub.cfg, /boot/grub/grub.cfg, /boot/grub2/grub.cfg
process_name40eq 23, in 15, starts_with 3, ne 2, is_not_null 1, wildcard 1bash, csh, dash, cp, awk
CommandLine35contains 32, ends_with 3, eq 1, is_null 1, match 1, regex_match 1, starts_with 1, wildcard 1config, /config, /serverlevelplugindll, dclcwpdtsd, msdtc
parent_process_name20eq 13, in 7, ends_with 1, is_not_null 1, starts_with 1bash, csh, dash, apt, CompatTelRunner.exe
process.args19eq 10, in 7, starts_with 5, wildcard 4, contains 2, ne 1-c, --install, -i, .git/hooks/, /etc/ld.so.preload
OriginalFileName17eq 15, in 1, ne 1sc.exe, -, bdsubmit.exe, bdsw.exe, cmd.exe
Signed15eq 15true, false
EventID14eq 147, 11, 4657, 4688
event.category13eq 13process, file, library
SignatureStatus11eq 8, ne 3Valid, Expired, Unavailable, unavailable, valid

Top indicator values (4924 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
31606
event.typeeq
creation
945
event.typeeq
change
577
EventTypeeq
exec
12171
EventTypeeq
creation
425
EventIDeq
7
1139
EventTypein
exec
11171
EventTypein
ProcessRollup2
10117
EventTypein
start
10134
EventTypein
creation
623
EventTypein
exec_event
6139
EventTypein
rename
518
ImageLoadedstarts_with
c:\windows\winsxs\
9
ImageLoadedstarts_with
c:\windows\system32\
8
ImageLoadedstarts_with
c:\windows\syswow64\
8
ImageLoadedstarts_with
c:\program files (x86)\
7
ImageLoadedstarts_with
c:\program files\
7
Signedeq
true
9
Signedeq
false
69
event.categoryeq
process
9128
process_namein
bash
988
process_namein
csh
971
process_namein
dash
978
process_namein
fish
972
process_namein
ksh
973
process_namein
sh
983
process_namein
tcsh
969
process_namein
zsh
982
Imageends_with
\sc.exe
530
process.argseq
-c
530

Exclusions (1158 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagein
/usr/bin/dockerd
12
Imagein
/usr/bin/podman
12
Imagein
./usr/bin/podman
11
Imagein
/bin/podman
11
Imagein
/usr/bin/dnf
11
Imagein
/usr/sbin/dockerd
11
Imagein
/bin/dnf
10
Imagein
/bin/dnf-automatic
10
Imagein
/bin/dockerd
10
Imagein
/bin/microdnf
10
Imagein
/bin/rpm
10
Imagein
/bin/snapd
10
Imagein
/bin/yum
10
Imagein
/proc/self/exe
10
Imagein
/sbin/apk
10

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 133 rules

Elastic 75 rules

Splunk 32 rules

Kusto 6 rules