216.73.216.6

T1546: T1546

View on MITRE ATT&CK The MITRE Corporation · Published 22/01/2020 22:04 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID
T1546
Confidence
100/100
Revoked
No
Published
22/01/2020 22:04
Modified
27/03/2026 01:11
Author / Source
The MITRE Corporation

Aliases

Event Triggered Execution

Platforms

windows macos linux IaaS Office Suite SaaS

Description

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Kill chain phases

Kill chainPhase
mitre-attack persistence
mitre-attack privilege-escalation

Marking (TLP)

TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.