title: Hijack Execution Flow (T1574)
id: df00tech-t1574
status: experimental
description: "This detection identifies adversaries attempting to hijack the operating system's execution flow to run malicious payloads. The detection covers the broad parent technique including DLL hijacking, path interception via unquoted service paths or PATH variable manipulation, dynamic linker hijacking on Linux/macOS, services file and registry permission weaknesses, and application shimming. By monitoring for suspicious image loads from non-standard directories, registry modifications to service image paths, creation of DLLs in directories preceding legitimate ones on the search path, and modifications to shared library paths on Linux, this detection surfaces the most common execution flow hijacking patterns across Windows, Linux, and macOS platforms. Malware families such as DarkGate, ShimRat, Raspberry Robin, and Denis have all leveraged these techniques for persistence and privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1574/
  - https://df00tech.com/detections/T1574
author: df00tech
date: 2026/03/19
tags:
  - attack.t1574
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installers that temporarily drop DLLs into user-writable paths during setup (e.g., Adobe, Java, Teams updaters)"
  - "Developer workstations with custom PATH entries pointing to local build directories (e.g., C:\\Users\\dev\\bin added to PATH for custom CLI tools)"
  - IT automation tools such as SCCM/Intune agents that modify service registry keys during patch deployment
  - "Portable application suites (e.g., PortableApps) that legitimately place executables outside Program Files"
  - Security agents and EDR products that inject helper DLLs into processes from non-System32 locations
level: high