T1546 Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1546 Event Triggered Execution
IA-09 Service Identification and Authentication mitigates T1546 Event Triggered Execution
SI-02 Flaw Remediation mitigates T1546 Event Triggered Execution
SI-07 Software, Firmware, and Information Integrity mitigates T1546 Event Triggered Execution
CM-02 Baseline Configuration mitigates T1546 Event Triggered Execution
AC-02 Account Management mitigates T1546 Event Triggered Execution
AC-03 Access Enforcement mitigates T1546 Event Triggered Execution
AC-06 Least Privilege mitigates T1546 Event Triggered Execution
CM-03 Configuration Change Control mitigates T1546 Event Triggered Execution

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1546 Event Triggered Execution
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1546 Event Triggered Execution
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1546 Event Triggered Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1546 Event Triggered Execution
Comments
Google Security Ops is able to trigger an alert based on manipulation of default programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral
References

ATT&CK Subtechniques