T1546: T1546
Essential information
- MITRE technique ID
T1546- Confidence
- 100/100
- Revoked
- No
- Published
- 22/01/2020 22:04
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Event Triggered Execution
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DONOT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KNOTWEED usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT 28 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Activity usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Glupteba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackwood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Goldoon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Calypso usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
Win.Dropper.Scar uses
-
macOS.Bkdr.Activator uses
-
Space Pirates uses
-
NSIS uses
-
MostereRAT usesFamily
-
Winnti uses
-
SectopRAT usesFamily
-
Infostealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HyperBro uses
-
Redline usesFamily
-
NOOPDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (18)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
18 MITREs 1 Malware 2 Observables
-
23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
-
15 MITREs 3 Malwares 71 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
12 MITREs 1 Malware 12 Observables 1 APT
-
10 MITREs 3 Malwares
-
9 MITREs 5 Observables 1 APT
-
23 MITREs 1 Malware 15 Observables
-
19 MITREs 4 Malwares 1 APT
-
20 MITREs 3 Malwares 1 APT
-
14 MITREs 1 Malware
Vulnerabilities (CVE) (67)
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …
- Attack vector
- NETWORK
- Published
- 14/04/2022
- Modified
- 21/12/2025
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via …
- Attack vector
- NETWORK
- Published
- 15/07/2020
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary …
- Published
- 25/03/2022
- Modified
- 21/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, …
- Attack vector
- ADJACENT_NETWORK
- Published
- 12/02/2021
- Modified
- 21/12/2025
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of …
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 09/03/2026
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- Attack vector
- NETWORK
- Published
- 30/08/2022
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Attack patterns (MITRE) (5)
-
PowerShell Profile subtechnique-of
-
Python Startup Hooks subtechnique-of
-
Trap subtechnique-of
-
Windows Management Instrumentation Event Subscription subtechnique-ofT1546.003 MITRE
-
Unix Shell Configuration Modification subtechnique-ofT1546.004 MITRE
Tool (1)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Course Of Action (1)
-
Update Software mitigates