T1574 IBM QRadar · QRadar

Detect Hijack Execution Flow in IBM QRadar

This detection identifies adversaries attempting to hijack the operating system's execution flow to run malicious payloads. The detection covers the broad parent technique including DLL hijacking, path interception via unquoted service paths or PATH variable manipulation, dynamic linker hijacking on Linux/macOS, services file and registry permission weaknesses, and application shimming. By monitoring for suspicious image loads from non-standard directories, registry modifications to service image paths, creation of DLLs in directories preceding legitimate ones on the search path, and modifications to shared library paths on Linux, this detection surfaces the most common execution flow hijacking patterns across Windows, Linux, and macOS platforms. Malware families such as DarkGate, ShimRat, Raspberry Robin, and Denis have all leveraged these techniques for persistence and privilege escalation.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Canonical reference
https://attack.mitre.org/techniques/T1574/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL detection for Hijack Execution Flow. Multi-branch KQL detection covering the four most common Hijack Execution Flow patterns: (1) DLL image loads from user-writable directories when the initiating process is a legitimate system binary, (

Data Sources

Sysmon Event ID 1Sysmon Event ID 11

Required Tables

events

False Positives & Tuning

  • Legitimate multi-stage installer processes that modify binaries during installation
  • Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
  • Self-updating applications modifying their own components
  • Antivirus software modifying installer files during remediation
Download portable Sigma rule (.yml)

Other platforms for T1574

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Search Order Hijack via Missing DLL in System Process Working Directory

    Expected signal: Sysmon Event ID 7 (ImageLoaded) with ImageLoaded path pointing to %TEMP%\wlbsctrl.dll. DeviceImageLoadEvents in MDE with FolderPath matching %TEMP%.

  2. Test 2Service Registry ImagePath Modification to Non-Standard Path

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKLM\SYSTEM\CurrentControlSet\Services\DummyTestSvc\ImagePath with value pointing to %TEMP%. Windows Security Event 4657 if object access auditing is enabled.

  3. Test 3PATH Environment Variable Hijack via User Registry Modification

    Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKCU\Environment\Path with the new value containing the %TEMP% subdirectory. DeviceRegistryEvents in MDE with RegistryValueData containing \Temp\.

  4. Test 4Linux Dynamic Linker Hijack via LD_PRELOAD

    Expected signal: Linux auditd syscall events for the execve/openat calls loading the malicious .so. Syslog entries if auditd is configured to monitor /tmp. Process events showing LD_PRELOAD environment variable set in process spawn context.

Last updated: 2026-03-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1574 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManagerT1055.011Extra Window Memory InjectionT1218.011Rundll32T1037Boot or Logon Initialization ScriptsT1053.005Scheduled Task

Same Tactic: Persistence

Popular Detections