Applied Cybernetics Group
T1574 — Hijack Execution Flow
- Technique
T1574- Tactics
- Stealth, Execution
- MISP citations
- 0
- KEV CVEs mapped
- 16
- Community rules
- 8
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1574
MITRE description
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-27363CVE-2024-21762CVE-2023-7024CVE-2023-6549CVE-2023-5217CVE-2023-4966CVE-2023-3519CVE-2023-27997CVE-2022-42475CVE-2022-41328CVE-2022-41073CVE-2022-3038CVE-2022-1040CVE-2020-5735CVE-2017-6742CVE-2016-1010
Detection coverage
SigmaHQ community rules
- Exploiting SetupComplete.cmd CVE-2019-1378 (emerging-threats)
- Potential PrintNightmare Exploitation Attempt (emerging-threats)
- Windows Spooler Service Suspicious Binary Load (emerging-threats)
- Potential Initial Access via DLL Search Order Hijacking (core)
- DLL Execution Via Register-cimprovider.exe (core)
- Regsvr32 DLL Execution With Uncommon Extension (core)
- Potential Registry Persistence Attempt Via DbgManagedDebugger (core)
- Suspicious Printer Driver Empty Manufacturer (core)