DET0218: Detection Strategy for Hijack Execution Flow across OS platforms.
DET0218 is a MITRE detection strategy for behavior related to Hijack Execution Flow (T1574), where adversaries may cause operating systems to run their pay...
Analyst context for executives and security teams
DET0218 is a MITRE detection strategy for behavior related to Hijack Execution Flow (T1574), where adversaries may cause operating systems to run their payloads by abusing how programs are located or launched. For leaders, the practical issue is trust in execution: if attackers can alter what runs when normal software starts, they may gain stealthy execution, persistence, privilege advantage, or bypass intended controls across Windows, macOS, and Linux environments.
Executive priority
Treat this as a validation point for endpoint resilience and incident readiness, not as a single alert. Security leaders should ask whether the organization can prove which files, paths, configurations, and privilege changes control program execution, and whether SOC teams can distinguish legitimate software behavior from suspicious execution-flow changes. This matters for business continuity because hijacked execution can recur over time and may undermine application control, least privilege, and audit confidence.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1574, which is associated with stealth and execution across Linux, macOS, and Windows. SOC and detection engineering teams should validate telemetry around process starts and parent-child relationships, executable or library loading behavior, and modifications to locations or settings that influence how the OS finds and runs programs. IR teams should treat suspicious execution-flow changes as potential persistence or defense-evasion evidence and scope for repeated launches from otherwise trusted software paths.
Likely telemetry
- Endpoint process creation and command-line metadata
- Parent-child process relationships and process lineage
- File creation, modification, replacement, and permission changes in executable or load-relevant locations
- Library/module load events where available
- Operating system configuration changes that affect program search, launch, or autoload behavior
Detection direction
- Because MITRE provides no official detection logic for DET0218, validate coverage against the related technique T1574 rather than assuming a ready-made analytic exists.
- Baseline normal software update, installer, and administrative activity to reduce false positives from legitimate changes to executable paths, libraries, or launch configurations.
- Correlate modification events with later process execution from the affected application or path; the relationship between change and subsequent launch is often more useful than either event alone.
- Review blind spots on non-Windows endpoints as the related technique spans Linux, macOS, and Windows; confirm equivalent telemetry exists across supported operating systems.
- Tune for suspicious changes by unexpected users, processes, or locations, especially where changes affect trusted applications or recurring execution points.
Mitigation priorities
- Prioritize least privilege and strict write permissions on directories, files, and settings that influence program execution.
- Harden software deployment and change-management processes so legitimate updates are attributable and auditable.
- Use application control or execution policy controls where appropriate, while validating that they cannot be bypassed through execution-flow manipulation.
- Ensure endpoint logging and retention are sufficient to reconstruct both the modification event and the later execution event.
- Include execution-flow hijack scenarios in incident response playbooks and tabletop exercises so responders know how to scope persistence and defense-evasion risk.
Analyst notes and limits
This take is based on DET0218 and its stated relationship to T1574. The detection strategy object itself does not include an official description or detection guidance, so recommendations are framed as validation questions and telemetry priorities derived from the related ATT&CK technique context.
No active exploitation, actor attribution, specific sub-techniques, vendor detections, or guaranteed coverage are provided in the supplied ATT&CK fields. Local operating systems, endpoint tooling, logging depth, and software inventory are required to determine practical detection and control coverage.
Detection Strategy for Hijack Execution Flow across OS platforms.
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1574 | Hijack Execution Flow | This object detects Hijack Execution Flow. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 68c171dc192b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0218Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.