T1546: T1546
Essential information
- MITRE technique ID
T1546- Confidence
- 100/100
- Revoked
- No
- Published
- 22/01/2020 22:04
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Event Triggered Execution
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DONOT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KNOTWEED usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT 28 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Activity usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Glupteba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackwood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Goldoon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Calypso usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
NukeSped usesFamily
-
Trigona usesFamily
-
ROMCOM RAT uses
-
Uroburos uses
-
Redsip uses
-
Epic uses
-
SHA-256 uses
-
Gh0st uses
-
Morte usesFamily
-
RedLine Stealer usesFamily
-
PoisonIvy uses
-
Dridex - S0384 usesFamily
Reports (18)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
18 MITREs 1 Malware 2 Observables
-
23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
-
15 MITREs 3 Malwares 71 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
10 MITREs 3 Malwares
-
9 MITREs 5 Observables 1 APT
-
23 MITREs 1 Malware 15 Observables
-
19 MITREs 4 Malwares 1 APT
-
20 MITREs 3 Malwares 1 APT
-
14 MITREs 1 Malware
Vulnerabilities (CVE) (67)
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Attack vector
- Network
- Published
- 03/11/2021
- Modified
- 18/02/2026
A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi …
- Published
- 20/12/2025
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 20/12/2025
Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.
- Published
- 25/03/2022
- Modified
- 21/12/2025
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via …
- Attack vector
- NETWORK
- Published
- 26/03/2023
- Modified
- 21/12/2025
D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced …
- Attack vector
- NETWORK
- Published
- 01/09/2022
- Modified
- 21/12/2025
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance …
- Published
- 03/04/2025
- Modified
- 03/04/2025
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …
- Attack vector
- Adjacent
- Published
- 02/10/2025
- Modified
- 21/12/2025
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands …
- Attack vector
- Network
- Published
- 10/01/2025
- Modified
- 21/12/2025
A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of …
- Attack vector
- Network
- Complexity
- Low
- Published
- 10/07/2025
- Modified
- 29/04/2026
Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via …
- Published
- 12/11/2014
- Modified
- 07/05/2026
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/06/2017
- Modified
- 22/04/2026
Attack patterns (MITRE) (5)
-
PowerShell Profile subtechnique-of
-
Python Startup Hooks subtechnique-of
-
Trap subtechnique-of
-
Windows Management Instrumentation Event Subscription subtechnique-ofT1546.003 MITRE
-
Unix Shell Configuration Modification subtechnique-ofT1546.004 MITRE
Tool (1)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Course Of Action (1)
-
Update Software mitigates