T1546: T1546
Essential information
- MITRE technique ID
T1546- Confidence
- 100/100
- Revoked
- No
- Published
- 22/01/2020 22:04
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Event Triggered Execution
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
DeepStreamer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RondoDox usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C 60 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BondNet usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC5221 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dark Pink usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Anatsa relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BladedFeline relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chinaz relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
Tsunami usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShellBot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Albaniiutas usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Playcrypt usesFamily The MITRE Corporation Confidence 100
[Playcrypt](https://attack.mitre.org/software/S1162) is a ransomware that has been used by [Play](https://attack.mitre.org/groups/G1040) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Demo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PrimeCache usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SpyNote usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NOOPLDR usesAlienVault Confidence 100
[NOOPLDR](https://attack.mitre.org/software/S9025) is a shellcode loader with XML/C# and DLL versions that has been used by [MirrorFace](https://attack.mitre.org/groups/G1054) to load [HiddenFace](https://attack.mitre.org/software/S9023).(Citation: Trend Micro Earth Kasha NOV 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Truebot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cucky usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (18)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
18 MITREs 1 Malware 2 Observables
-
23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
-
15 MITREs 3 Malwares 71 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
10 MITREs 3 Malwares
-
9 MITREs 5 Observables 1 APT
-
23 MITREs 1 Malware 15 Observables
-
19 MITREs 4 Malwares 1 APT
-
20 MITREs 3 Malwares 1 APT
-
14 MITREs 1 Malware
Vulnerabilities (CVE) (67)
D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a …
- Attack vector
- Network
- Published
- 30/09/2024
- Modified
- 21/12/2025
Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges.
- Published
- 12/07/2022
- Modified
- 20/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …
- Published
- 07/08/2023
- Modified
- 20/12/2025
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …
- Attack vector
- NETWORK
- Published
- 28/01/2020
- Modified
- 21/12/2025
A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of …
- Attack vector
- ADJACENT_NETWORK
- Published
- 23/02/2024
- Modified
- 21/12/2025
Attack patterns (MITRE) (5)
-
PowerShell Profile subtechnique-of
-
Python Startup Hooks subtechnique-of
-
Trap subtechnique-of
-
Windows Management Instrumentation Event Subscription subtechnique-ofT1546.003 MITRE
-
Unix Shell Configuration Modification subtechnique-ofT1546.004 MITRE
Tool (1)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Course Of Action (1)
-
Update Software mitigates