Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1574

T1574Hijack Execution Flow

T1574 — Hijack Execution Flow is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 11 detection use cases covering it and 6 threat-intel articles citing it.

Defense EvasionExecution
View on the matrix → Filter Detection Library MITRE official spec ↗
11Use cases
6Articles
12Sub-techniques
2Tactics

Sub-techniques (12)

T1574.014 · AppDomainManagerT1574.012 · COR_PROFILERT1574.001 · DLLT1574.004 · Dylib HijackingT1574.006 · Dynamic Linker HijackingT1574.005 · Executable Installer File Permissions WeaknessT1574.013 · KernelCallbackTableT1574.007 · Path Interception by PATH Environment VariableT1574.008 · Path Interception by Search Order HijackingT1574.009 · Path Interception by Unquoted PathT1574.010 · Services File Permissions WeaknessT1574.011 · Services Registry Permissions Weakness

Use cases covering this technique (11)

Windows BitDefender Submission Wizard DLL Sideloading ESCU actions · alerting P Windows Mock Trusted Directory MSC File Creation ESCU actions · alerting P Windows PowerShell Module File Created ESCU actions · hunting P Windows Rundll32 Execution With Log.DLL ESCU actions · hunting P Windows Set Custom DNS ServerLevelPlugin Via Dnscmd ESCU actions · hunting P [LLM] Splunk Secure Gateway Python script overwritten via PostgreSQL lo_export (CVE-2026-20253) Bespoke install · alerting DSΣPDDCS [LLM] Miasma loader artifact written to Python site-packages: .pth, _index.js, .abi3.so Bespoke install · alerting DSΣPDDCS [LLM] Vitest UI server launched with non-loopback --api.host / --host (CVE-2026-47429 exposure) Bespoke weapon · alerting DSΣPDDCS [LLM] OCI image extraction creates symlink with absolute path target (CWE-61 primitive) Bespoke exploit · alerting DSΣPDDCS [LLM] handler.lua dropped outside Algernon's configured web root (CVE-2026-45721 backdoor stage) Bespoke install · alerting DSΣPDDCS [LLM] litellm_init.pth Python autoload persistence drop Bespoke install · alerting DSΣPDDCS

Articles citing this technique (6)

crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary file can be read and executed art-157
crit [GHSA / CRITICAL] CVE-2026-46703: Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host art-223
crit [GHSA / CRITICAL] CVE-2026-45721: Algernon: handler.lua discovery walks parent directories above the server root art-262
high You Patched LiteLLM, But Do You Know Your AI Blast Radius? art-414