T1546 Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1546 Event Triggered Execution
Comments
This diagnostic statement protects against Event Triggered Execution through the use of privileged account management and the use of multi-factor authentication.
References
    PR.PS-02.01 Patch identification and application Mitigates T1546 Event Triggered Execution
    Comments
    This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates can mitigate potential event triggered execution exploitation risks.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1546 Event Triggered Execution
      Comments
      This diagnostic statement provides protection from Event Triggered Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
      References
        PR.IR-01.03 Network communications integrity and availability Mitigates T1546 Event Triggered Execution
        Comments
        This diagnostic statement protects against Event Triggered Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
        References
          PR.IR-01.05 Remote access protection Mitigates T1546 Event Triggered Execution
          Comments
          This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
          References
            PR.IR-01.06 Production environment segregation Mitigates T1546 Event Triggered Execution
            Comments
            This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
            References
              PR.AA-01.01 Identity and credential management Mitigates T1546 Event Triggered Execution
              Comments
              This diagnostic statement protects against Event Triggered Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
              References
                PR.PS-01.08 End-user device protection Mitigates T1546 Event Triggered Execution
                Comments
                This diagnostic statement protects against Event Triggered Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CM-06 Configuration Settings mitigates T1546 Event Triggered Execution
                  IA-09 Service Identification and Authentication mitigates T1546 Event Triggered Execution
                  SI-02 Flaw Remediation mitigates T1546 Event Triggered Execution
                  SI-07 Software, Firmware, and Information Integrity mitigates T1546 Event Triggered Execution
                  CM-02 Baseline Configuration mitigates T1546 Event Triggered Execution
                  AC-02 Account Management mitigates T1546 Event Triggered Execution
                  AC-03 Access Enforcement mitigates T1546 Event Triggered Execution
                  AC-06 Least Privilege mitigates T1546 Event Triggered Execution
                  CM-03 Configuration Change Control mitigates T1546 Event Triggered Execution

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  microsoft_sentinel Microsoft Sentinel technique_scores T1546 Event Triggered Execution
                  Comments
                  This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
                  References
                  file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1546 Event Triggered Execution
                  Comments
                  The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
                  References
                  ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1546 Event Triggered Execution
                  Comments
                  This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
                  References
                  alerts_for_windows_machines Alerts for Windows Machines technique_scores T1546 Event Triggered Execution
                  Comments
                  This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
                  References

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  google_secops Google Security Operations technique_scores T1546 Event Triggered Execution
                  Comments
                  Google Security Ops is able to trigger an alert based on manipulation of default programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral
                  References

                  M365 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  PUR-AUS-E5 Audit Solutions Technique Scores T1546 Event Triggered Execution
                  Comments
                  Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions detects Event Triggered Execution attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files. License Requirements: Microsoft 365 E3 and E5
                  References
                  DEF-SSCO-E3 Secure Score Technique Scores T1546 Event Triggered Execution
                  Comments
                  Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
                  References
                  DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1546 Event Triggered Execution
                  Comments
                  Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Event-Triggered Execution attacks due to the DeviceFileEvents table in the advanced hunting schema which contains information about file creation, modification, and other file events. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
                  References
                  PUR-INPR-E5 Information Protection Technique Scores T1546 Event Triggered Execution
                  Comments
                  Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. Information Protection Detects Event Triggered Execution attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2
                  References

                  ATT&CK Subtechniques