Event Triggered Execution (T1546)

Tactics: Privilege Escalation, Persistence · Platforms: Linux, macOS, Windows, SaaS, IaaS, Office Suite

The interactive view maps 1 detection strategy, 2 mitigations, 3 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Overview

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Sub-techniques

Explore