T1546 Event Triggered Execution
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.123
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
| Item | Value |
|---|---|
| ID | T1546 |
| Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015 |
| Tactics | TA0004, TA0003 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 22 January 2020 |
| Last Modified | 08 February 2022 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0011 | Module | Module Load |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
| DS0005 | WMI | WMI Creation |
References
-
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. ↩
-
Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. ↩
-
Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. ↩