# T1574 Hijack Execution Flow

-----------------------------------------------------------------------

## Technique Description

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

## Technique Detection

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

Monitor for changes to environment variables, as well as the commands to implement these changes.

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

-----------------------------------------------------------------------

### Tactics:

  * Persistence

  * Privilege-Escalation

  * Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

### Defenses Bypassed:

  * Anti-virus

  * Application Control

### Data Sources:

  * **Service:** Service Metadata

  * **Module:** Module Load

  * **File:** File Modification

  * **Process:** Process Creation

  * **Windows Registry:** Windows Registry Key Modification

  * **File:** File Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1574)

  * [Autoruns For Windows](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns), Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 22 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Aaron Diaz

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Common technique amongst malware authors to implement, difficult to detect without proper visibility on Host. Requiring Data sources listed in table to have a chance at detecting complex implementations of this technique.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | | |
| APT29 | | |
| Turla | | |

## Detection Blindspots

- Sysmon and ImageLoads are used for the primary Sigma rule identified. False positives are a given and will need tailoring. Some of the research is targeted at System binaries present on all Windows machines, not including custom software installed that may be vulnerable to attacks as well.

- FRESH (20OCT2020): Using all the research above a security researcher has created platform to rapidly prototype and weaponize DLL hijacks:
    - https://github.com/slaeryan/AQUARMOURY/tree/master/Brownie

## Analytical References

- https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
- https://redcanary.com/threat-detection-report/techniques/dll-search-order-hijacking/#detection
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
- https://www.a12d404.net/security/2019/01/01/side-loading-fun.html
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://labs.sentinelone.com/leveraging-ld_audit-to-beat-the-traditional-linux-library-preloading-technique/
- https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
- http://www.goldsborough.me/c/low-level/kernel/2016/08/29/16-48-53-the_-ld_preload-_trick/
- https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/
- https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#
- https://forensicitguy.github.io/posts/linux-edr-evasion-with-ld-preload/
- https://raw.githubusercontent.com/wietze/windows-dll-hijacking/master/possible_windows_dll_hijacking.yml

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

- Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

- Monitor for changes to environment variables, as well as the commands to implement these changes.

- Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

- Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

- Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

- Locate any DLLs and "Signed/Trusted" binaries that may be in suspicious locations.
    - Signed Microsoft Binaries being written by **cmd.exe** to **ProgramData** or **AppData**
    - Signed, trusted binaries executing from User **AppData** or **ProgramData** folders loading a single unsigned DLL from the same folder
    - Scheduled task creation to execute binaries from User **AppData** or **ProgramData** folders
    - Trusted DLLs located in normal system paths such as **kernel32.dll** or **ntdll.dll** located in abnormal folders
    - Frequency analysis on the least commonly found DLLs located outside of normal system folders
    - Unsigned DLLs written to suspicious folders such as **Temp** or **AppData**

#### Analytic 1

  * **Information:** Suspicious Path Execution

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** N/A

  * **Query_1:** ```event.type: creation AND file.path:("AppData" OR "ProgramData") AND file.name:("*.dll")```
  
  * **Query_2:** ```process.command_line: ("*AppData*" OR "*ProgramData*") AND file.code_signature.valid : true```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------



