πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
T1574: Hijack Execution Flow
Service File permissions Weakness
Path Interception by Unquoted Path
Path Interception by Search Order Hijacking
Path Interception by PATH Environment Variable
Executable Installer File Permissions Weakness
DLL Side-Loading
DLL Search Order Hijacking
T1133:External Remote Services
T1546:Event Triggered Execution
T1543:Create or Modify System Process
T1136: Create Account
T1554:Compromise Client Software Binary
T1547:Boot or Logon AutoStart Execution
T1197: BITS Jobs
T1053: Scheduled Tasks/Job
T1098: Account Manipulation
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
T1574: Hijack Execution Flow
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
Red Team Techniques - Previous
Persistence
Next
Service File permissions Weakness
Last modified 1yr ago
Copy link