Detect Hijack Execution Flow in Microsoft Sentinel
This detection identifies adversaries attempting to hijack the operating system's execution flow to run malicious payloads. The detection covers the broad parent technique including DLL hijacking, path interception via unquoted service paths or PATH variable manipulation, dynamic linker hijacking on Linux/macOS, services file and registry permission weaknesses, and application shimming. By monitoring for suspicious image loads from non-standard directories, registry modifications to service image paths, creation of DLLs in directories preceding legitimate ones on the search path, and modifications to shared library paths on Linux, this detection surfaces the most common execution flow hijacking patterns across Windows, Linux, and macOS platforms. Malware families such as DarkGate, ShimRat, Raspberry Robin, and Denis have all leveraged these techniques for persistence and privilege escalation.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Canonical reference
- https://attack.mitre.org/techniques/T1574/
KQL Detection Query
let SuspiciousDLLPaths = dynamic(["\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Downloads\\"]);
let LegitSystemPaths = dynamic(["C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\", "C:\\Windows\\WinSxS\\"]);
// Branch 1: DLL loaded from suspicious user-writable path
let DLLHijack = DeviceImageLoadEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ImageLoaded"
| where FileName endswith ".dll"
| where not(FolderPath has_any (LegitSystemPaths))
| where FolderPath has_any (SuspiciousDLLPaths)
| where InitiatingProcessFolderPath has_any (LegitSystemPaths)
| summarize DLLLoads=count(), DLLPaths=make_set(FolderPath,10), Processes=make_set(InitiatingProcessFileName,10) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(TimeGenerated, 5m)
| extend Technique="DLL Hijack - Suspicious DLL Load Path", Score=60;
// Branch 2: Service binary path modification in registry
let ServiceRegMod = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("HKLM\\SYSTEM\\CurrentControlSet\\Services", "HKLM\\System\\CurrentControlSet\\Services")
| where RegistryValueName in ("ImagePath", "ServiceDLL")
| where RegistryValueData has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "%TEMP%", "%APPDATA%")
or RegistryValueData matches regex @"[A-Za-z]:\\(?!Windows|Program Files)[^\\]+\\[^\\]+\.exe"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="Service Registry Hijack", Score=70;
// Branch 3: PATH environment variable modification in registry
let PathEnvMod = DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "HKCU\\Environment")
| where RegistryValueName =~ "Path"
| where RegistryValueData has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\")
and not(RegistryValueData has "C:\\Windows")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="PATH Environment Modification", Score=65;
// Branch 4: Executable created in directory that shadows system binary
let ShadowExec = DeviceFileEvents
| where TimeGenerated > ago(1d)
| where ActionType == "FileCreated"
| where FileName in~ ("cmd.exe","powershell.exe","net.exe","regsvr32.exe","rundll32.exe","msiexec.exe","wmic.exe","cscript.exe","wscript.exe","mshta.exe","certutil.exe","bitsadmin.exe","svchost.exe","explorer.exe")
| where not(FolderPath has_any ("C:\\Windows\\", "C:\\Program Files\\"))
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Technique="Shadow System Binary Creation", Score=85;
DLLHijack
| project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=tostring(DLLPaths), Technique, Score
| union (
ServiceRegMod | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=RegistryValueData, Technique, Score
)
| union (
PathEnvMod | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=RegistryValueData, Technique, Score
)
| union (
ShadowExec | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessName=InitiatingProcessFileName, Detail=FolderPath, Technique, Score
)
| order by Score desc, TimeGenerated descMulti-branch KQL detection covering the four most common Hijack Execution Flow patterns: (1) DLL image loads from user-writable directories when the initiating process is a legitimate system binary, (2) service ImagePath or ServiceDLL registry values modified to point to non-standard directories, (3) PATH environment variable modifications that prepend user-writable directories, and (4) creation of executables with system binary names outside C:\Windows. Results are scored by risk level.
Data Sources
Required Tables
False Positives & Tuning
- Software installers that temporarily drop DLLs into user-writable paths during setup (e.g., Adobe, Java, Teams updaters)
- Developer workstations with custom PATH entries pointing to local build directories (e.g., C:\Users\dev\bin added to PATH for custom CLI tools)
- IT automation tools such as SCCM/Intune agents that modify service registry keys during patch deployment
- Portable application suites (e.g., PortableApps) that legitimately place executables outside Program Files
- Security agents and EDR products that inject helper DLLs into processes from non-System32 locations
Other platforms for T1574
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Search Order Hijack via Missing DLL in System Process Working Directory
Expected signal: Sysmon Event ID 7 (ImageLoaded) with ImageLoaded path pointing to %TEMP%\wlbsctrl.dll. DeviceImageLoadEvents in MDE with FolderPath matching %TEMP%.
- Test 2Service Registry ImagePath Modification to Non-Standard Path
Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKLM\SYSTEM\CurrentControlSet\Services\DummyTestSvc\ImagePath with value pointing to %TEMP%. Windows Security Event 4657 if object access auditing is enabled.
- Test 3PATH Environment Variable Hijack via User Registry Modification
Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKCU\Environment\Path with the new value containing the %TEMP% subdirectory. DeviceRegistryEvents in MDE with RegistryValueData containing \Temp\.
- Test 4Linux Dynamic Linker Hijack via LD_PRELOAD
Expected signal: Linux auditd syscall events for the execve/openat calls loading the malicious .so. Syslog entries if auditd is configured to monitor /tmp. Process events showing LD_PRELOAD environment variable set in process spawn context.
References (12)
- https://attack.mitre.org/techniques/T1574/
- https://attack.mitre.org/techniques/T1574/001/
- https://attack.mitre.org/techniques/T1574/004/
- https://attack.mitre.org/techniques/T1574/006/
- https://attack.mitre.org/techniques/T1574/007/
- https://attack.mitre.org/techniques/T1574/008/
- https://attack.mitre.org/techniques/T1574/009/
- https://attack.mitre.org/techniques/T1574/010/
- https://attack.mitre.org/techniques/T1574/011/
- https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
- https://www.fox-it.com/en/insights/blogs/tech/mofang-a-politically-motivated-information-stealing-adversary/
- https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
Unlock Pro Content
Get the full detection package for T1574 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (12)
- T1574.001DLL
- T1574.004Dylib Hijacking
- T1574.005Executable Installer File Permissions Weakness
- T1574.006Dynamic Linker Hijacking
- T1574.007Path Interception by PATH Environment Variable
- T1574.008Path Interception by Search Order Hijacking
- T1574.009Path Interception by Unquoted Path
- T1574.010Services File Permissions Weakness
- T1574.011Services Registry Permissions Weakness
- T1574.012COR_PROFILER
- T1574.013KernelCallbackTable
- T1574.014AppDomainManager