Technique on mitre.org

T1546: Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_privilege_escalation: PT-CR-1353: PrivEsc_Via_Comctl32: An exploitation of a logical error when creating a folder that requires administrator rights to access. This exploitation allows to elevate user's privilege level to SYSTEM when a specific trigger triggers. unix_mitre_attck_persistence: PT-CR-1029: Unix_Sensitive_File_Modification: Sensitive files were opened mitre_attck_persistence: PT-CR-1997: EventViewer_Registry_Modify: The registry key responsible for redirecting to help for the Event Viewer component has been changed. An attacker can put in it the path to the file that will be executed when getting help, to be persisted on the target system

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.

ID	DS0005	Data source and component	WMI: WMI Creation	Description	Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

ID	DS0022	Data source and component	File: File Metadata	Description	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

ID	DS0025	Data source and component	Cloud Service: Cloud Service Modification	Description	Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events.

ID	DS0009	Data source and component	Process: Process Creation	Description	Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.

ID	Data source and component	Description
DS0011	Module: Module Load	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.
DS0005	WMI: WMI Creation	Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0022	File: File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.
DS0022	File: File Creation	Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0022	File: File Modification	Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0025	Cloud Service: Cloud Service Modification	Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events.
DS0009	Process: Process Creation	Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.

Mitigation

ID	M1051	Name	Update Software	Description	Perform regular software updates to mitigate exploitation risk.

ID	M1026	Name	Privileged Account Management	Description	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

ID	Name	Description
M1051	Update Software	Perform regular software updates to mitigate exploitation risk.
M1026	Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.