T1546 Event Triggered Execution Mappings

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-2 Baseline Configuration Protects T1546 Event Triggered Execution
CM-6 Configuration Settings Protects T1546 Event Triggered Execution
IA-9 Service Identification and Authentication Protects T1546 Event Triggered Execution
SI-7 Software, Firmware, and Information Integrity Protects T1546 Event Triggered Execution

CVE Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2012-0158 n/a uncategorized T1546 Event Triggered Execution

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1546 Event Triggered Execution
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1546 Event Triggered Execution
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546 Event Triggered Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1546.008 Accessibility Features 7
T1546.009 AppCert DLLs 4
T1546.010 AppInit DLLs 6
T1546.011 Application Shimming 3
T1546.001 Change Default File Association 1
T1546.015 Component Object Model Hijacking 1
T1546.014 Emond 7
T1546.012 Image File Execution Options Injection 1
T1546.006 LC_LOAD_DYLIB Addition 15
T1546.007 Netsh Helper DLL 1
T1546.013 PowerShell Profile 11
T1546.002 Screensaver 10
T1546.005 Trap 1
T1546.004 Unix Shell Configuration Modification 9
T1546.003 Windows Management Instrumentation Event Subscription 8