MITRE ATT&CK Technique
Persistence T1574
Description

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-03-12T20:38:12.465Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may execute their own malicious payloads by '
                'hijacking the way operating systems run programs. Hijacking '
                'execution flow can be for the purposes of persistence, since '
                'this hijacked execution may reoccur over time. Adversaries '
                'may also use these mechanisms to elevate privileges or evade '
                'defenses, such as application control or other restrictions '
                'on execution.\n'
                '\n'
                'There are many ways an adversary may hijack the flow of '
                'execution, including by manipulating how the operating system '
                'locates programs to be executed. How the operating system '
                'locates libraries to be used by a program can also be '
                'intercepted. Locations where the operating system looks for '
                'programs/resources, such as file directories and in the case '
                'of Windows the Registry, could also be poisoned to include '
                'malicious payloads.',
 'external_references': [{'external_id': 'T1574',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1574'},
                         {'description': 'Mark Russinovich. (2019, June 28). '
                                         'Autoruns for Windows v13.96. '
                                         'Retrieved March 13, 2020.',
                          'source_name': 'Autoruns for Windows',
                          'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns'}],
 'id': 'attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:49:13.820Z',
 'name': 'Hijack Execution Flow',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (6)
AppleJeus
High
APT19
High
APT-C-36
High
APT3
High
APT32
High
View All 6 Actors
Back to TTPs
Dashboard About