1. Home
  2. Detection Strategies
  3. Detection Strategy for Hijack Execution Flow across OS platforms.

Detection Strategy for Hijack Execution Flow across OS platforms.

Technique Detected:  Hijack Execution Flow | T1574

ID: DET0218
Domains: Enterprise
Analytics: AN0609, AN0610, AN0611
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0609

Unusual modifications to service binary paths, registry keys, or DLL load paths resulting in alternate execution flow. Defender observes registry key modifications, suspicious file writes into system directories, and processes loading libraries from abnormal paths.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
ServiceBaseline Expected registry keys and service paths for comparison.
AllowedDllPaths Directories considered valid for DLL loading.
TimeWindow Correlation interval between registry/file modification and process execution.

AN0610

Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin
Service Metadata (DC0041) linux:syslog Service restart with modified executable path
Process Creation (DC0032) linux:osquery Process execution with LD_PRELOAD or modified library path
Mutable Elements
Field Description
MonitoredDirectories Directories where binary replacement should trigger alerts.
EnvVarMonitors Environment variables like LD_PRELOAD or PATH to monitor.

AN0611

Abuse of DYLD_INSERT_LIBRARIES or hijacking framework paths for malicious libraries. Defender observes processes invoking abnormal dylibs, modified plist files, or persistence entries pointing to altered binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Execution of process with DYLD_INSERT_LIBRARIES set
File Modification (DC0061) macos:unifiedlog Modified application plist or binary replacement in /Applications
Module Load (DC0016) macos:unifiedlog Dylib loaded from abnormal location
Mutable Elements
Field Description
AllowedDylibPaths Baseline directories for dylib loading.
PlistMonitors Specific plist files used for persistence monitoring.