1. Home
  2. Techniques
  3. Enterprise
  4. 劫持执行流

劫持执行流

ID Name
T1574.001 白文件动态内存注入
T1574.002 多级可信服务链劫持
T1574.003 运行时环境变量污染

劫持执行流是攻击者通过操纵操作系统程序执行机制,将恶意代码植入合法进程执行路径的攻击技术,常用于绕过应用白名单、实现持久化或权限提升。传统防御手段主要监控文件系统变更、DLL加载异常和服务配置修改,通过哈希校验、进程行为分析和注册表审计等手段检测异常。

为规避传统检测机制,攻击者发展出内存驻留、信任链寄生和环境伪装等新型劫持技术,将恶意操作融入系统正常执行流,构建"无实体、无痕迹"的攻击范式。这些技术突破传统文件-进程映射关系,在保持系统表象完整性的前提下实现深度隐匿。

现有劫持执行流匿迹技术的核心在于系统信任机制的逆向利用与执行上下文的深度伪造:白文件动态内存注入通过内存操作技术将攻击载荷与合法进程完全融合,利用进程合法性掩盖恶意行为;多级可信服务链劫持构建基于系统服务依赖关系的隐蔽通道,使恶意代码继承系统信任链的安全属性;运行时环境变量污染则通过篡改动态执行环境实现路径解析劫持,将攻击行为伪装成正常的系统配置操作。三类技术的共性在于突破传统文件层对抗模式,聚焦操作系统运行时机制的漏洞利用,通过系统组件的合法交互过程实现攻击载荷的隐蔽投送与执行。

ID: T1574
Sub-techniques:  T1574.001, T1574.002, T1574.003
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application Control
Version: 1.2
Created: 12 March 2020
Last Modified: 21 November 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过复用合法进程的数字签名、服务依赖链和环境配置参数,将恶意代码特征完全融入系统合法组件。例如白文件注入技术保留宿主进程的完整签名信息,多级服务劫持维持服务注册表项的表面合规性,使得静态检测机制无法识别篡改痕迹。

行为透明

通过深度寄生在系统核心进程或服务中,恶意代码的执行过程与宿主进程的正常业务逻辑完全同步。内存注入代码复用宿主进程的API调用序列,服务劫持攻击继承系统服务的调度策略,使得动态行为分析难以分离异常活动。

数据遮蔽

采用内存加密加载技术,将核心攻击载荷以密文形式存储在注册表项或环境变量中,仅在运行时动态解密执行。部分高级变种利用进程间共享内存或内存映射文件传递加密指令,规避磁盘持久化数据的静态分析。

Procedure Examples

ID Name Description
C0017 C0017

During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.[1]

S1105 COATHANGER

COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as read(2).[2]
S1111 DarkGate

DarkGate edits the Registry key HKCU\Software\Classes\mscfile\shell\open\command to execute a malicious AutoIt script.[3] When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key.
S0354 Denis

Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.[4]
S0567 Dtrack

One of Dtrack can replace the normal flow of a program execution with malicious code.[5]
S1147 Nightdoor

Nightdoor uses a legitimate executable to load a malicious DLL file for installation.[6]
C0036 Pikabot Distribution February 2024

Pikabot Distribution February 2024 utilized a tampered legitimate executable, grepWinNP3.exe, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.[7]
S1130 Raspberry Robin

Raspberry Robin will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\Microsoft\ to attempt privilege elevation and defense evasion if not running in Session 0.[8]
S1018 Saint Bot

Saint Bot will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software.[9]
S0444 ShimRat

ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.[10]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.[11]
M1047 Audit

Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.[12]

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[13][14][15]
M1040 Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
M1038 Execution Prevention

Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.
M1022 Restrict File and Directory Permissions

Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.
M1044 Restrict Library Loading

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)

The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode[16][17]
M1024 Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
M1051 Update Software

Update software regularly to include patches that fix DLL side-loading vulnerabilities.
M1052 User Account Control

Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000. Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: "EnableInstallerDetection"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. [18]
M1018 User Account Management

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.
DS0022 File File Creation

Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs.
File Modification

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.
DS0011 Module Module Load

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.
DS0009 Process Process Creation

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
DS0019 Service Service Metadata

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may execute their own malicious payloads by hijacking the way operating systems run programs.

References

  1. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  2. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  3. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  4. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  5. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  6. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  7. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  8. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  9. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  1. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  2. Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
  3. PowerSploit. (n.d.). Retrieved December 4, 2014.
  4. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.
  5. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.
  6. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.
  7. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  8. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
  9. Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.