Which SIEM platforms have a T1574 detection rule?

df00tech provides T1574 (Hijack Execution Flow) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Hijack Execution Flow (T1574)?

Detecting Hijack Execution Flow requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1574 detection?

The T1574 detection is rated high severity with medium confidence.

What are common false positives for T1574?

Common false positives for T1574 include: Software installers that temporarily drop DLLs into user-writable paths during setup (e.g., Adobe, Java, Teams updaters); Developer workstations with custom PATH entries pointing to local build directories (e.g., C:\Users\dev\bin added to PATH for custom CLI tools); IT automation tools such as SCCM/Intune agents that modify service registry keys during patch deployment.

T1574 Splunk · SPL

Detect Hijack Execution Flow in Splunk

This detection identifies adversaries attempting to hijack the operating system's execution flow to run malicious payloads. The detection covers the broad parent technique including DLL hijacking, path interception via unquoted service paths or PATH variable manipulation, dynamic linker hijacking on Linux/macOS, services file and registry permission weaknesses, and application shimming. By monitoring for suspicious image loads from non-standard directories, registry modifications to service image paths, creation of DLLs in directories preceding legitimate ones on the search path, and modifications to shared library paths on Linux, this detection surfaces the most common execution flow hijacking patterns across Windows, Linux, and macOS platforms. Malware families such as DarkGate, ShimRat, Raspberry Robin, and Denis have all leveraged these techniques for persistence and privilege escalation.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation Defense Evasion
Technique: T1574 Hijack Execution Flow
Canonical reference: https://attack.mitre.org/techniques/T1574/

SPL Detection Query

Splunk (SPL)

spl

index=* earliest=-24h
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval technique=""
| eval score=0
```Branch 1: Sysmon EventCode 7 - Image Load from suspicious path```
| where (EventCode=7 AND ImageLoaded!="" AND NOT match(ImageLoaded, "(?i)C:\\Windows\\(System32|SysWOW64|WinSxS)") AND match(ImageLoaded, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\|\\Downloads\\)") AND match(Image, "(?i)C:\\Windows\\"))
   OR
```Branch 2: Sysmon EventCode 13 - Registry value set for service ImagePath```
   (EventCode=13 AND TargetObject LIKE "%CurrentControlSet\\Services%" AND (Details LIKE "%\\Users\\%" OR Details LIKE "%\\Temp\\%" OR Details LIKE "%\\AppData\\%" OR Details LIKE "%\\ProgramData\\%"))
   OR
```Branch 3: Sysmon EventCode 11 - File create of system binary name outside Windows```
   (EventCode=11 AND (TargetFilename LIKE "%cmd.exe" OR TargetFilename LIKE "%powershell.exe" OR TargetFilename LIKE "%rundll32.exe" OR TargetFilename LIKE "%regsvr32.exe" OR TargetFilename LIKE "%msiexec.exe") AND NOT match(TargetFilename, "(?i)C:\\Windows\\"))
   OR
```Branch 4: Security EventCode 4688 - Process created from suspicious path matching system binary name```
   (EventCode=4688 AND (match(NewProcessName, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\)")) AND (match(NewProcessName, "(?i)(cmd\.exe|powershell\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|svchost\.exe)$")))
| eval technique=case(
    EventCode=7, "DLL Image Load from User-Writable Path",
    EventCode=13, "Service Registry Path Hijack",
    EventCode=11, "Shadow System Binary File Creation",
    EventCode=4688, "System Binary Name from Non-System Path",
    true(), "Unknown"
  )
| eval score=case(
    EventCode=7, 60,
    EventCode=13, 70,
    EventCode=11, 85,
    EventCode=4688, 80,
    true(), 50
  )
| eval actor=coalesce(User, SubjectUserName, "-")
| eval host=coalesce(ComputerName, host)
| eval detail=coalesce(ImageLoaded, TargetObject, TargetFilename, NewProcessName, "-")
| table _time, host, actor, EventCode, technique, score, detail, Image, ParentImage
| sort - score, - _time

high severity medium confidence

Multi-branch SPL detection across Sysmon and Windows Security logs targeting: DLL image loads (Event 7) from user-writable directories initiated by system processes; registry value sets (Event 13) modifying service image paths to non-standard locations; file creation events (Event 11) for system binary names outside C:\Windows; and process creation events (Event 4688) where a process uses a system binary name but runs from a user-writable directory. Scored by risk.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

Application installers dropping DLLs temporarily into user-writable staging directories during installation routines
Developer environments with build output directories prepended to PATH that shadow system binary names
Enterprise management tools (SCCM, Ansible, Chef) that modify service registry values as part of legitimate configuration management
Penetration testing toolkits (e.g., Metasploit, Cobalt Strike in authorized engagements) that create test binaries in temp paths
Portable/containerized applications that bundle their own versions of common executables outside standard installation paths

Download portable Sigma rule (.yml)

Other platforms for T1574

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1DLL Search Order Hijack via Missing DLL in System Process Working Directory
Expected signal: Sysmon Event ID 7 (ImageLoaded) with ImageLoaded path pointing to %TEMP%\wlbsctrl.dll. DeviceImageLoadEvents in MDE with FolderPath matching %TEMP%.
Test 2Service Registry ImagePath Modification to Non-Standard Path
Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKLM\SYSTEM\CurrentControlSet\Services\DummyTestSvc\ImagePath with value pointing to %TEMP%. Windows Security Event 4657 if object access auditing is enabled.
Test 3PATH Environment Variable Hijack via User Registry Modification
Expected signal: Sysmon Event ID 13 (RegistryValueSet) for HKCU\Environment\Path with the new value containing the %TEMP% subdirectory. DeviceRegistryEvents in MDE with RegistryValueData containing \Temp\.
Test 4Linux Dynamic Linker Hijack via LD_PRELOAD
Expected signal: Linux auditd syscall events for the execve/openat calls loading the malicious .so. Syslog entries if auditd is configured to monitor /tmp. Process events showing LD_PRELOAD environment variable set in process spawn context.

Last updated: 2026-03-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1574 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Sub-techniques (12)

Related Techniques

T1574.001DLL T1574.004Dylib Hijacking T1574.005Executable Installer File Permissions Weakness T1574.006Dynamic Linker Hijacking T1574.007Path Interception by PATH Environment Variable T1574.008Path Interception by Search Order Hijacking T1574.009Path Interception by Unquoted Path T1574.010Services File Permissions Weakness T1574.011Services Registry Permissions Weakness T1574.012COR_PROFILER T1574.013KernelCallbackTable T1574.014AppDomainManager T1055.011Extra Window Memory Injection T1218.011Rundll32 T1037Boot or Logon Initialization Scripts T1053.005Scheduled Task

Detect Hijack Execution Flow in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1574

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (12)

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1574

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (12)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox