Event Triggered Execution (T1546)
Tactics: Privilege Escalation, Persistence · Platforms: Linux, macOS, Windows, SaaS, IaaS, Office Suite
The interactive view maps 1 detection strategy, 2 mitigations, 3 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
Sub-techniques
- Change Default File Association (T1546.001)
- Screensaver (T1546.002)
- Windows Management Instrumentation Event Subscription (T1546.003)
- Unix Shell Configuration Modification (T1546.004)
- Trap (T1546.005)
- LC_LOAD_DYLIB Addition (T1546.006)
- Netsh Helper DLL (T1546.007)
- Accessibility Features (T1546.008)
- AppCert DLLs (T1546.009)
- AppInit DLLs (T1546.010)
- Application Shimming (T1546.011)
- Image File Execution Options Injection (T1546.012)
- PowerShell Profile (T1546.013)
- Emond (T1546.014)
- Component Object Model Hijacking (T1546.015)
- Installer Packages (T1546.016)
- Udev Rules (T1546.017)
- Python Startup Hooks (T1546.018)