T1546: T1546
Essential information
- MITRE technique ID
T1546- Confidence
- 100/100
- Revoked
- No
- Published
- 22/01/2020 22:04
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Event Triggered Execution
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DONOT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KNOTWEED usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT 28 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Activity usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Glupteba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackwood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Goldoon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Calypso usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
NukeSped usesFamily
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ROMCOM RAT uses
-
Uroburos uses
-
Redsip uses
-
Epic uses
-
SHA-256 uses
-
Gh0st uses
-
Morte usesFamily
-
RedLine Stealer usesFamily The MITRE Corporation Confidence 100
[RedLine Stealer](https://attack.mitre.org/software/S1240) is an information-stealer malware variant first identified in 2020.(Citation: ESET RedLine Stealer November 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023) [RedLine Stealer](https://attack.mitre.org/software/S1240)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PoisonIvy uses
-
Dridex - S0384 usesFamily
Reports (18)
-
Cuckoo Threat Actor Arsenal related14 MITREs 2 Malwares 9 Observables 1 APT
-
2 CVEs 12 MITREs 3 Malwares 5 Observables 1 APT
-
1 CVE 16 MITREs 12 Malwares 27 Observables
-
10 MITREs 1 Malware 1 APT
-
10 MITREs 1 Malware 4 Observables 1 APT
-
1 CVE 18 MITREs 1 Malware 24 Observables 1 APT
Vulnerabilities (CVE) (67)
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on …
- Published
- 24/06/2025
- Modified
- 20/03/2026
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
- Attack vector
- Adjacent
- Published
- 01/05/2023
- Modified
- 21/12/2025
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the …
- Attack vector
- NETWORK
- Published
- 03/02/2025
- Modified
- 31/12/2025
The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading …
- Attack vector
- NETWORK
- Published
- 10/04/2023
- Modified
- 21/12/2025
Commands can be injected over the network and executed without authentication.
- Attack vector
- NETWORK
- Published
- 02/08/2024
- Modified
- 21/12/2025
RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
- Attack vector
- NETWORK
- Published
- 16/01/2025
- Modified
- 21/12/2025
A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. …
- Attack vector
- NETWORK
- Published
- 03/06/2025
- Modified
- 21/12/2025
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
- Published
- 31/03/2022
- Modified
- 20/12/2025
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 24/09/2014
- Modified
- 22/04/2026
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 13/12/2022
- Modified
- 20/12/2025
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …
- Attack vector
- NETWORK
- Published
- 06/11/2024
- Modified
- 21/12/2025
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/05/2017
- Modified
- 22/04/2026
Attack patterns (MITRE) (5)
-
PowerShell Profile subtechnique-of
-
Python Startup Hooks subtechnique-of
-
Trap subtechnique-of
-
Windows Management Instrumentation Event Subscription subtechnique-ofT1546.003 MITRE
-
Unix Shell Configuration Modification subtechnique-ofT1546.004 MITRE
Tool (1)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Course Of Action (1)
-
Update Software mitigates