T1574 Google Chronicle · YARA-L

Detect Hijack Execution Flow in Google Chronicle

This detection identifies adversaries attempting to hijack the operating system's execution flow to run malicious payloads. The detection covers the broad parent technique including DLL hijacking, path interception via unquoted service paths or PATH variable manipulation, dynamic linker hijacking on Linux/macOS, services file and registry permission weaknesses, and application shimming. By monitoring for suspicious image loads from non-standard directories, registry modifications to service image paths, creation of DLLs in directories preceding legitimate ones on the search path, and modifications to shared library paths on Linux, this detection surfaces the most common execution flow hijacking patterns across Windows, Linux, and macOS platforms. Malware families such as DarkGate, ShimRat, Raspberry Robin, and Denis have all leveraged these techniques for persistence and privilege escalation.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Canonical reference
https://attack.mitre.org/techniques/T1574/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1574_hijack_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution flow hijacking via installer or DLL path manipulation"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1574"
    reference = "https://attack.mitre.org/techniques/T1574/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
      re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
    not $e.principal.user.user_display_name = "SYSTEM"

  condition:
    $e
}
high severity medium confidence

Google Chronicle YARA-L 2.0 detection for Hijack Execution Flow. Multi-branch KQL detection covering the four most common Hijack Execution Flow patterns: (1) DLL image loads from user-writable directories when the initiating process is a legitimate system binary, (

Data Sources

Google Chronicle SIEMEndpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate multi-stage installer processes that modify binaries during installation phases
  • Enterprise software deployment tools staging installer components in temp directories
  • Self-updating applications that download and replace their own binaries
  • Archive utilities that extract executables to temp before running them
Download portable Sigma rule (.yml)

Other platforms for T1574

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Search Order Hijack via Missing DLL in System Process Working Directory

    Expected signal: Sysmon Event ID 7 (ImageLoaded) with ImageLoaded path pointing to %TEMP%\wlbsctrl.dll. DeviceImageLoadEvents in MDE with FolderPath matching %TEMP%.

  2. Test 2Service Registry ImagePath Modification to Non-Standard Path

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKLM\SYSTEM\CurrentControlSet\Services\DummyTestSvc\ImagePath with value pointing to %TEMP%. Windows Security Event 4657 if object access auditing is enabled.

  3. Test 3PATH Environment Variable Hijack via User Registry Modification

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKCU\Environment\Path with the new value containing the %TEMP% subdirectory. DeviceRegistryEvents in MDE with RegistryValueData containing \Temp\.

  4. Test 4Linux Dynamic Linker Hijack via LD_PRELOAD

    Expected signal: Linux auditd syscall events for the execve/openat calls loading the malicious .so. Syslog entries if auditd is configured to monitor /tmp. Process events showing LD_PRELOAD environment variable set in process spawn context.

Last updated: 2026-03-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1574 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManagerT1055.011Extra Window Memory InjectionT1218.011Rundll32T1037Boot or Logon Initialization ScriptsT1053.005Scheduled Task

Same Tactic: Persistence

Popular Detections