1. Home
  2. Techniques
  3. Enterprise
  4. Hijack Execution Flow

Hijack Execution Flow

ID Name
T1574.001 DLL Search Order Hijacking
T1574.002 DLL Side-Loading
T1574.004 Dylib Hijacking
T1574.005 Executable Installer File Permissions Weakness
T1574.006 Dynamic Linker Hijacking
T1574.007 Path Interception by PATH Environment Variable
T1574.008 Path Interception by Search Order Hijacking
T1574.009 Path Interception by Unquoted Path
T1574.010 Services File Permissions Weakness
T1574.011 Services Registry Permissions Weakness
T1574.012 COR_PROFILER

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

ID: T1574
Sub-techniques:  T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application control
Version: 1.1
Created: 12 March 2020
Last Modified: 14 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0354 Denis

Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.[1]
S0567 Dtrack

One of Dtrack can replace the normal flow of a program execution with malicious code.[2]
S0444 ShimRat

ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.[3]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.[4]
M1047 Audit

Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.[5]

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[6][7][8]
M1038 Execution Prevention

Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.
M1022 Restrict File and Directory Permissions

Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.
M1044 Restrict Library Loading

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)

The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode[9][10]
M1024 Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
M1051 Update Software

Update software regularly to include patches that fix DLL side-loading vulnerabilities.
M1052 User Account Control

Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000. Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: "EnableInstallerDetection"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. [11]
M1018 User Account Management

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
File Modification
DS0011 Module Module Load
DS0009 Process Process Creation
DS0019 Service Service Metadata
DS0024 Windows Registry Windows Registry Key Modification

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

Monitor for changes to environment variables, as well as the commands to implement these changes.

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. [12] Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

References

  1. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  2. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  3. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  4. Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
  5. PowerSploit. (n.d.). Retrieved December 4, 2014.
  6. Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
  1. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.
  2. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.
  3. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  4. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
  5. Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.
  6. Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.