T1546 Event Triggered Execution
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.452
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.163
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
| Item | Value |
|---|---|
| ID | T1546 |
| Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016 |
| Tactics | TA0004, TA0003 |
| Platforms | IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Version | 1.2 |
| Created | 22 January 2020 |
| Last Modified | 19 October 2022 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0025 | Cloud Service | Cloud Service Modification |
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0011 | Module | Module Load |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
| DS0005 | WMI | WMI Creation |
References
-
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. ↩
-
Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022. ↩
-
Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. ↩
-
Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022. ↩
-
Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022. ↩
-
Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. ↩