MITRE ATT&CK / T1574
T1574
Hijack Execution Flow
Description
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
Platforms
Mitigations
- M1052 — User Account Control
- M1040 — Behavior Prevention on Endpoint
- M1044 — Restrict Library Loading
- M1047 — Audit
- M1013 — Application Developer Guidance
- M1018 — User Account Management
- M1051 — Update Software
- M1038 — Execution Prevention
- M1022 — Restrict File and Directory Permissions
- M1024 — Restrict Registry Permissions
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Screening Serpens: Iranian APT Fuses AppDomainManager Hijacking with New RATs in 2026 Espionage Campaign
- TCLBANKER Banking Trojan Spreads via WhatsApp and Outlook Worm Modules
- UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
- Fast16 Malware Reverse-Engineering: State-Sponsored Computation Sabotage Analysis
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →