Hijack Execution Flow T1574
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
Events covered
28 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 183 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (70 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1663 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (466 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 129 rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Changing Existing Service ImagePath Value Via Reg.EXE
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL
- Diamond Sleet APT DLL Sideloading Indicators
- DLL Execution Via Register-cimprovider.exe
- DLL Names Used By SVR For GraphicalProton Backdoor
- DLL Search Order Hijackig Via Additional Space in Path
- DLL ServerLevelPluginDll command installation
- DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse)
- DLL ServerLevelPluginDll registration (Reg via Sysmon)
- DLL Sideloading by VMware Xfer Utility
- DLL Sideloading Of ShellChromeAPI.DLL
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Enabling COR Profiler Environment Variables
- Exploiting SetupComplete.cmd CVE-2019-1378
- Fax Service DLL Search Order Hijack
- HackTool - Powerup Write Hijack DLL
- HackTool - SharpUp PrivEsc Tool Execution
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Defender Blocked from Loading Unsigned DLL
- Microsoft Office DLL Sideload
- New DNS ServerLevelPluginDll Installed
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Pingback Backdoor Activity
- Pingback Backdoor DLL Loading Activity
- Pingback Backdoor File Indicators
- Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line
- Possible Privilege Escalation via Weak Service Permissions
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading
- Potential appverifUI.DLL Sideloading
- Potential AVKkid.DLL Sideloading
- Potential Azure Browser SSO Abuse
- Potential CCleanerDU.DLL Sideloading
- Potential CCleanerReactivator.DLL Sideloading
- Potential Chrome Frame Helper DLL Sideloading
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential DLL Sideloading Of DbgModel.DLL
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential DLL Sideloading Of MpSvc.DLL
- Potential DLL Sideloading Of MsCorSvc.DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via comctl32.dll
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via VMware Xfer
- Potential EACore.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential Goopdate.DLL Sideloading
- Potential Initial Access via DLL Search Order Hijacking
- Potential Iviewers.DLL Sideloading
- Potential JLI.dll Side-Loading
- Potential Libvlc.DLL Sideloading
- Potential Mfdetours.DLL Sideloading
- Potential Mpclient.DLL Sideloading
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential Notepad++ CVE-2025-49144 Exploitation
- Potential Persistence Attempt Via Existing Service Tampering
- Potential PlugX Activity
- Potential PrintNightmare Exploitation Attempt
- Potential Privilege Escalation via Service Permissions Weakness
- Potential Python DLL SideLoading
- Potential Raspberry Robin Aclui Dll SideLoading
- Potential Rcdll.DLL Sideloading
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential RoboForm.DLL Sideloading
- Potential ShellDispatch.DLL Sideloading
- Potential SmadHook.DLL Sideloading
- Potential SolidPDFCreator.DLL Sideloading
- Potential Suspicious Activity Using SeCEdit
- Potential System DLL Sideloading From Non System Locations
- Potential Vcruntime140 DLL Sideloading
- Potential Vivaldi_elf.DLL Sideloading
- Potential Waveedit.DLL Sideloading
- Potential Wazuh Security Platform DLL Sideloading
- Potential WWlib.DLL Sideloading
- Potentially Suspicious Child Process of KeyScrambler.exe
- Registry Modification for OCI DLL Redirection
- Registry-Free Process Scope COR_PROFILER
- Regsvr32 DLL Execution With Uncommon Extension
- Renamed Vmnat.exe Execution
- Service abuse with malicious ImagePath (Reg via command)
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service permissions hijacked for privileges abuse (PowerShell)
- Service permissions hijacked for privileges abuse (reg via command)
- Service permissions hijacked for privileges abuse (Reg via PowerShell)
- Service permissions hijacked for privileges abuse (service)
- Service Registry Key Read Access Request
- Service Registry Permissions Weakness Check
- Service Security Descriptor Tampering Via Sc.EXE
- Setup16.EXE Execution With Custom .Lst File
- Small Sieve Malware CommandLine Indicator
- Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958)
- Suspicious GUP Usage
- Suspicious Printer Driver Empty Manufacturer
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Suspicious Unsigned Thor Scanner Execution
- System Control Panel Item Loaded From Uncommon Location
- SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527)
- SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527)
- Tasks Folder Evasion
- Third Party Software DLL Sideloading
- Trusted Path Bypass via Windows Directory Spoofing
- UAC Bypass With Fake DLL
- Unsigned .node File Loaded
- Unsigned Binary Loaded From Suspicious Location
- Unsigned Mfdetours.DLL Sideloading
- Unsigned Module Loaded by ClickOnce Application
- Using SettingSyncHost.exe as LOLBin
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Windows Spooler Service Suspicious Binary Load
- Winnti Malware HK University Campaign
- Winnti Pipemon Characteristics
- Xwizard.EXE Execution From Non-Default Location
Elastic 20 rules
- Deprecated - Adobe Hijack Persistence
- Deprecated - Suspicious PrintSpooler Service Executable File Creation
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Potential DLL Side-Loading via Trusted Microsoft Programs
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privilege Escalation via Service ImagePath Modification
- Potential Windows Session Hijacking via CcmExec
- Privilege Escalation via Windir Environment Variable
- Signed Proxy Execution via MS Work Folders
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious Microsoft Antimalware Service Execution
- Suspicious Print Spooler Point and Print DLL
- Unsigned DLL Loaded by a Trusted Process
- Unsigned DLL Loaded by Svchost
- Unsigned DLL Side-Loading from a Suspicious Folder
- Untrusted DLL Loaded by Azure AD Connect Authentication Agent
- Unusual Persistence via Services Registry
- WPS Office Exploitation via DLL Hijack
Splunk 29 rules
- Detect Path Interception By Creation Of program exe
- GitHub Workflow File Creation or Modification
- iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- MSI Module Loaded by Non-System Binary
- Msmpeng Application DLL Side Loading
- Reg exe Manipulating Windows Services Registry Keys
- Shai-Hulud Workflow File Creation or Modification
- Windows BitDefender Submission Wizard DLL Sideloading
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows DLL Search Order Hijacking with iscsicpl
- Windows DLL Side-Loading In Calc
- Windows DLL Side-Loading Process Child Of Calc
- Windows Get-Variable.EXE Execution from WindowsApps Folder
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Known Abused DLL Created
- Windows Known Abused DLL Loaded Suspiciously
- Windows Known GraphicalProton Loaded Modules
- Windows Masquerading Explorer As Child Process
- Windows Mock Trusted Directory MSC File Creation
- Windows Mustang Panda USB Tool Execution
- Windows Potential AppDomainManager Hijack Artifacts Creation
- Windows PowerShell Module File Created
- Windows Rundll32 Execution With Log.DLL
- Windows Service Creation Using Registry Entry
- Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Unsigned DLL Side-Loading
- Windows Unsigned DLL Side-Loading In Same Process Path
- Windows Unsigned MS DLL Side-Loading