Hijack Execution Flow T1574

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Events covered

28 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 6416A new external device was recognized by the system.
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
DHCP-ServerEvent ID 1031[EVENT_SERVER_CALLOUT_UNHANDLED_EXCEPTION] The installed server callout .dll file has caused an exception.
DHCP-ServerEvent ID 1032[EVENT_SERVER_CALLOUT_LOAD_EXCEPTION] The installed server callout .dll file has caused an exception. The .dll file couldn't be loaded.
DHCP-ServerEvent ID 1033[EVENT_SERVER_CALLOUT_LOAD_SUCCESS] The DHCP service has successfully loaded one or more callout DLLs.
DHCP-ServerEvent ID 1034[EVENT_SERVER_READ_ONLY_GROUP_ERROR] The DHCP service has failed to load one or more callout DLLs.
DNS-Server-ServiceEvent ID 150The DNS server could not load or initialize the plug-in DLL Name.
DNS-Server-ServiceEvent ID 770A DNS server plugin DLL has been loaded from location param1 on server param2.
DNS-Server-ServiceEvent ID 771The V1 plugin interface has been implemented in server level plugin DLL.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Security-MitigationsEvent ID 11Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.
Security-MitigationsEvent ID 12Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 183 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (70 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image82ends_with 62, starts_with 18, eq 13, contains 11, in 2, is_null 1, match 1, wildcard 1\sc.exe, \cmd.exe, \reg.exe, c:\windows\system32\, c:\windows\syswow64\
ImageLoaded75ends_with 59, starts_with 35, contains 19, eq 7, in 5, wildcard 3*:\\windows\\system32\\*, *:\\windows\\syswow64\\*, c:\program files (x86)\, c:\program files (x86)\windows kits\, :\program files (x86)\windows kits\10\bin\
CommandLine31contains 29, ends_with 3, eq 1, is_null 1, match 1, regex_match 1, starts_with 1config, /config, /serverlevelplugindll, dclcwpdtsd, msdtc
OriginalFileName17eq 15, in 1, ne 1sc.exe, -, bdsubmit.exe, bdsw.exe, cmd.exe
TargetFilename17ends_with 5, in 5, contains 3, eq 2, starts_with 2, wildcard 2, regex_match 1.dll, (?i)\x5cappdata\x5clocal\x5cmicrosoft\x5c.*iphlpapi\.dll, */.github/workflows/*.yaml, */.github/workflows/*.yml, */.github/workflows/discussion.yaml
Signed15eq 15true, false
process_name15eq 12, ne 2, in 1cmd.exe, explorer.exe, azureadconnectauthenticationagentservice.exe, bash.exe, control.exe
EventID14eq 147, 11, 4657, 4688
event.type12eq 12start, change, creation
SignatureStatus11eq 8, ne 3Valid, Expired, Unavailable, unavailable, valid
TargetObject11ends_with 7, contains 3, wildcard 2\services\dns\parameters\serverlevelplugindll, *\software\microsoft\windows..., *\software\microsoft\windows..., \control\print\environments\windows x64\drivers, \cor_enable_profiling
parent_process_name9eq 6, in 2, ends_with 1, starts_with 1CompatTelRunner.exe, WorkFolders.exe, \spoolsv.exe, beasvc.exe, calc.exe
Details7eq 3, contains 2, ends_with 1, is_not_null 1, starts_with 1"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d..., %systemroot%\system32\, (Empty), C:\Windows\System32\spool\drivers\x64\4, C:\Windows\System32\spool\drivers\x64\4\
ParentImage7ends_with 5, contains 2, eq 2, starts_with 1\appdata\roaming\, \hpqhvind.exe, \keyscrambler.exe, \sllauncher.exe, \spoolsv.exe
ScriptBlockText6contains 6, regex_match 1-sd , -securitydescriptorsddl , $env:cor_enable_profiling, $env:cor_profiler, $env:cor_profiler_path

Top indicator values (1663 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
7
1139
ImageLoadedstarts_with
c:\windows\winsxs\
99
ImageLoadedstarts_with
c:\windows\system32\
89
ImageLoadedstarts_with
c:\windows\syswow64\
89
ImageLoadedstarts_with
c:\program files (x86)\
77
ImageLoadedstarts_with
c:\program files\
77
ImageLoadedstarts_with
c:\program files (x86)\windows kits\
33
Signedeq
true
910
Signedeq
false
69
event.typeeq
start
7241
event.typeeq
change
346
Imageends_with
\sc.exe
530
Imageends_with
\pwsh.exe
4172
Imageends_with
\cmd.exe
3134
Imageends_with
\powershell.exe
3186
Imageends_with
\reg.exe
360
Imageends_with
\regsvr32.exe
368
Imagestarts_with
c:\windows\system32\
424
Imagestarts_with
c:\windows\syswow64\
422
Imagestarts_with
c:\windows\winsxs\
417
SignatureStatuseq
Valid
45
CommandLinecontains
config
315
CommandLinecontains
sdset
35
CommandLinecontains
.dll
221
ImageLoadedin
*:\\windows\\system32\\*
33
ImageLoadedin
*:\\windows\\syswow64\\*
33
OriginalFileNameeq
sc.exe
326
SignatureStatusne
Valid
33
dll.Ext.relative_file_name_modify_timele
500
34
registry_value_nameeq
ImagePath
35

Exclusions (466 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ImageLoadedstarts_with
c:\windows\winsxs\
9
ImageLoadedstarts_with
c:\windows\system32\
8
ImageLoadedstarts_with
c:\windows\syswow64\
8
ImageLoadedstarts_with
c:\program files (x86)\
7
ImageLoadedstarts_with
c:\program files\
7
ImageLoadedstarts_with
c:\program files (x86)\windows kits\
3
Signedeq
true
8
Imagestarts_with
c:\windows\system32\
4
Imagestarts_with
c:\windows\syswow64\
4
Imagestarts_with
c:\windows\winsxs\
4
SignatureStatuseq
Valid
4
dll.code_signature.statuswildcard
errorCode_endpoint*
3
dll.code_signature.statuswildcard
errorExpired
3
dll.code_signature.statuswildcard
trusted
3
Imagecontains
\windows resource kit\
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 129 rules

Elastic 20 rules

Splunk 29 rules

Kusto 5 rules