T1574 Hijack Execution Flow Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousDLLPaths = dynamic(["\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Downloads\\"]);
let LegitSystemPaths = dynamic(["C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\", "C:\\Windows\\WinSxS\\"]);
// Branch 1: DLL loaded from suspicious user-writable path
let DLLHijack = DeviceImageLoadEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ImageLoaded"
| where FileName endswith ".dll"
| where not(FolderPath has_any (LegitSystemPaths))
| where FolderPath has_any (SuspiciousDLLPaths)
| where InitiatingProcessFolderPath has_any (LegitSystemPaths)
| summarize DLLLoads=count(), DLLPaths=make_set(FolderPath,10), Processes=make_set(InitiatingProcessFileName,10) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(TimeGenerated, 5m)
| extend Technique="DLL Hijack - Suspicious DLL Load Path", Score=60;
// Branch 2: Service binary path modification in registry
let ServiceRegMod = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("HKLM\\SYSTEM\\CurrentControlSet\\Services", "HKLM\\System\\CurrentControlSet\\Services")
| where RegistryValueName in ("ImagePath", "ServiceDLL")
| where RegistryValueData has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "%TEMP%", "%APPDATA%")
   or RegistryValueData matches regex @"[A-Za-z]:\\(?!Windows|Program Files)[^\\]+\\[^\\]+\.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="Service Registry Hijack", Score=70;
// Branch 3: PATH environment variable modification in registry
let PathEnvMod = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "HKCU\\Environment")
| where RegistryValueName =~ "Path"
| where RegistryValueData has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\")
   and not(RegistryValueData has "C:\\Windows")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="PATH Environment Modification", Score=65;
// Branch 4: Executable created in directory that shadows system binary
let ShadowExec = DeviceFileEvents
| where TimeGenerated > ago(1d)
| where ActionType == "FileCreated"
| where FileName in~ ("cmd.exe","powershell.exe","net.exe","regsvr32.exe","rundll32.exe","msiexec.exe","wmic.exe","cscript.exe","wscript.exe","mshta.exe","certutil.exe","bitsadmin.exe","svchost.exe","explorer.exe")
| where not(FolderPath has_any ("C:\\Windows\\", "C:\\Program Files\\"))
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="Shadow System Binary Creation", Score=85;
DLLHijack
| project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=tostring(DLLPaths), Technique, Score
| union (
    ServiceRegMod | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=RegistryValueData, Technique, Score
)
| union (
    PathEnvMod | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=RegistryValueData, Technique, Score
)
| union (
    ShadowExec | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=FolderPath, Technique, Score
)
| order by Score desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Software installers that temporarily drop DLLs into user-writable paths during setup (e.g., Adobe, Java, Teams updaters)
Developer workstations with custom PATH entries pointing to local build directories (e.g., C:\Users\dev\bin added to PATH for custom CLI tools)
IT automation tools such as SCCM/Intune agents that modify service registry keys during patch deployment
Portable application suites (e.g., PortableApps) that legitimately place executables outside Program Files
Security agents and EDR products that inject helper DLLs into processes from non-System32 locations

Splunk

spl

index=* earliest=-24h
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval technique=""
| eval score=0
```Branch 1: Sysmon EventCode 7 - Image Load from suspicious path```
| where (EventCode=7 AND ImageLoaded!="" AND NOT match(ImageLoaded, "(?i)C:\\Windows\\(System32|SysWOW64|WinSxS)") AND match(ImageLoaded, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\|\\Downloads\\)") AND match(Image, "(?i)C:\\Windows\\"))
   OR
```Branch 2: Sysmon EventCode 13 - Registry value set for service ImagePath```
   (EventCode=13 AND TargetObject LIKE "%CurrentControlSet\\Services%" AND (Details LIKE "%\\Users\\%" OR Details LIKE "%\\Temp\\%" OR Details LIKE "%\\AppData\\%" OR Details LIKE "%\\ProgramData\\%"))
   OR
```Branch 3: Sysmon EventCode 11 - File create of system binary name outside Windows```
   (EventCode=11 AND (TargetFilename LIKE "%cmd.exe" OR TargetFilename LIKE "%powershell.exe" OR TargetFilename LIKE "%rundll32.exe" OR TargetFilename LIKE "%regsvr32.exe" OR TargetFilename LIKE "%msiexec.exe") AND NOT match(TargetFilename, "(?i)C:\\Windows\\"))
   OR
```Branch 4: Security EventCode 4688 - Process created from suspicious path matching system binary name```
   (EventCode=4688 AND (match(NewProcessName, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\)")) AND (match(NewProcessName, "(?i)(cmd\.exe|powershell\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|svchost\.exe)$")))
| eval technique=case(
    EventCode=7, "DLL Image Load from User-Writable Path",
    EventCode=13, "Service Registry Path Hijack",
    EventCode=11, "Shadow System Binary File Creation",
    EventCode=4688, "System Binary Name from Non-System Path",
    true(), "Unknown"
  )
| eval score=case(
    EventCode=7, 60,
    EventCode=13, 70,
    EventCode=11, 85,
    EventCode=4688, 80,
    true(), 50
  )
| eval actor=coalesce(User, SubjectUserName, "-")
| eval host=coalesce(ComputerName, host)
| eval detail=coalesce(ImageLoaded, TargetObject, TargetFilename, NewProcessName, "-")
| table _time, host, actor, EventCode, technique, score, detail, Image, ParentImage
| sort - score, - _time

high severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Application installers dropping DLLs temporarily into user-writable staging directories during installation routines
Developer environments with build output directories prepended to PATH that shadow system binary names
Enterprise management tools (SCCM, Ansible, Chef) that modify service registry values as part of legitimate configuration management
Penetration testing toolkits (e.g., Metasploit, Cobalt Strike in authorized engagements) that create test binaries in temp paths
Portable/containerized applications that bundle their own versions of common executables outside standard installation paths

Elastic Security (EQL)

eql

any where
  (event.category == "library" and dll.path : ("*\\AppData\\*", "*\\Temp\\*", "*\\ProgramData\\*")
   and not process.name : ("svchost.exe", "msiexec.exe"))
  or
  (event.category == "process" and event.type == "start"
   and process.name : ("net.exe", "cmd.exe", "powershell.exe")
   and not process.executable : "C:\\Windows\\*")

high severity medium confidence

Data Sources

Elastic Endpoint Security Library events Process events

Required Tables

logs-endpoint.events.library.* logs-endpoint.events.process.*

False Positives

Legitimate software installers that update components in TEMP during multi-step installation
Enterprise deployment tools (SCCM, Intune) staging and modifying binaries in temp locations
Self-updating applications that modify their own components before execution
Antivirus software modifying installer binaries during scanning or remediation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

events

False Positives

Legitimate multi-stage installer processes that modify binaries during installation
Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
Self-updating applications modifying their own components
Antivirus software modifying installer files during remediation

Sumo Logic CSE

sql

_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount desc

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

_sourceCategory=*sysmon*

False Positives

Multi-stage installers that legitimately modify components in TEMP during installation
Enterprise deployment solutions staging installer binaries in temporary locations
Self-updating applications that patch their own binaries before running them
Software that extracts and immediately executes components from archives

Google Chronicle / SecOps

yaral

rule T1574_hijack_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution flow hijacking via installer or DLL path manipulation"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1574"
    reference = "https://attack.mitre.org/techniques/T1574/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
      re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
    not $e.principal.user.user_display_name = "SYSTEM"

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate multi-stage installer processes that modify binaries during installation phases
Enterprise software deployment tools staging installer components in temp directories
Self-updating applications that download and replace their own binaries
Archive utilities that extract executables to temp before running them

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
    ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate enterprise installers that update extracted binaries during installation
Software deployment tools (SCCM, Intune) staging and modifying installers in temp
Self-patching applications that download and replace their own components
Automated software update mechanisms that modify binaries before execution

Hijack Execution Flow

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (12)

Same Tactic: Persistence

Popular Detections