Description
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
Platforms
Sub-Techniques (18)
Change Default File Association
T1546.002Screensaver
T1546.003Windows Management Instrumentation Event Subscription
T1546.004Unix Shell Configuration Modification
T1546.005Trap
T1546.006LC_LOAD_DYLIB Addition
T1546.007Netsh Helper DLL
T1546.008Accessibility Features
T1546.009AppCert DLLs
T1546.010AppInit DLLs
T1546.011Application Shimming
T1546.012Image File Execution Options Injection
T1546.013PowerShell Profile
T1546.014Emond
T1546.015Component Object Model Hijacking
T1546.016Installer Packages
T1546.017Udev Rules
T1546.018Python Startup Hooks
Mitigations (2)
Privileged Account ManagementM1026
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Update SoftwareM1051
Perform regular software updates to mitigate exploitation risk.
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation templa... |
| S1164 | UPSTYLE | Malware | [UPSTYLE](https://attack.mitre.org/software/S1164) creates a `.pth` file beginning with the text `import` so that any time another process or script a... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658)'s `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdir... |
References
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022.
- Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.
- Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022.
- Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
- Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
Frequently Asked Questions
What is T1546 (Event Triggered Execution)?
T1546 is a MITRE ATT&CK technique named 'Event Triggered Execution'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe t...
How can T1546 be detected?
Detection of T1546 (Event Triggered Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546?
There are 2 documented mitigations for T1546. Key mitigations include: Privileged Account Management, Update Software.
Which threat groups use T1546?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.