Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1546 | Event Triggered Execution | |
| CM-6 | Configuration Settings | Protects | T1546 | Event Triggered Execution | |
| IA-9 | Service Identification and Authentication | Protects | T1546 | Event Triggered Execution | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1546 | Event Triggered Execution | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1546 | Event Triggered Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1546 | Event Triggered Execution |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1546 | Event Triggered Execution |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1546 | Event Triggered Execution |
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
|