EXPLORE
← Back to Explore
T1546

Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automa...

LinuxmacOSWindowsSaaSIaaSOffice Suite
76
Detections
3
Sources
0
Threat Actors

BY SOURCE

66elastic7sigma3splunk_escu

PROCEDURES (46)

Persist7 detections

Auto-extracted: 7 detections for persist

Inject4 detections

Auto-extracted: 4 detections for inject

Registry4 detections

Auto-extracted: 4 detections for registry

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Registry Monitoring3 detections

Auto-extracted: 3 detections for registry monitoring

Macro2 detections

Auto-extracted: 2 detections for macro

Wmi2 detections

Auto-extracted: 2 detections for wmi

Macro2 detections

Auto-extracted: 2 detections for macro

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Service2 detections

Auto-extracted: 2 detections for service

Child Process2 detections

Auto-extracted: 2 detections for child process

Evasion2 detections

Auto-extracted: 2 detections for evasion

Container2 detections

Auto-extracted: 2 detections for container

Startup2 detections

Auto-extracted: 2 detections for startup

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Base641 detections

Auto-extracted: 1 detections for base64

Child Process1 detections

Auto-extracted: 1 detections for child process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Api1 detections

Auto-extracted: 1 detections for api

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Download1 detections

Auto-extracted: 1 detections for download

Persist1 detections

Auto-extracted: 1 detections for persist

Child Process1 detections

Auto-extracted: 1 detections for child process

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Service1 detections

Auto-extracted: 1 detections for service

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Base641 detections

Auto-extracted: 1 detections for base64

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Inject1 detections

Auto-extracted: 1 detections for inject

Privilege1 detections

Auto-extracted: 1 detections for privilege

Container1 detections

Auto-extracted: 1 detections for container

Registry1 detections

Auto-extracted: 1 detections for registry

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (76)

APT Package Manager Configuration File Creation
elasticlow
AWS Lambda Event Source Mapping Creation
elasticlow
AWS Lambda Function Policy Updated to Allow Cross-Account Invocation
elastichigh
AWS Lambda Function Policy Updated to Allow Public Invocation
elastichigh
AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content
elastichigh
Azure Automation Webhook Created
elasticlow
Bash Shell Profile Modification
elasticmedium
COM Hijack via Sdclt
sigmahigh
Component Object Model Hijacking
elasticlow
Control Panel Items
sigmahigh
Curl Execution via Shell Profile
elastichigh
D-Bus Service Created
elasticlow
DNF Package Manager Plugin File Creation
elasticlow
Docker Release File Creation
elasticlow
DPKG Package Installed by Unusual Parent Process
elasticlow
Emond Rules Creation or Modification
elasticmedium
Executable Bit Set for Potential Persistence Script
elasticmedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GitHub Actions Workflow Modification Blocked
elasticmedium
GKE Admission Webhook Created or Modified
elasticmedium
Image File Execution Options Injection
elasticmedium
Installation of Custom Shim Databases
elasticmedium
Kubernetes Admission Webhook Created or Modified
elasticmedium
Modification of Persistence Relevant Files Detected via Defend for Containers
elasticlow
Mofcomp Activity
elasticlow
Netsh Helper DLL
elasticlow
Network Connection Initiated by Suspicious SSHD Child Process
elasticmedium
NetworkManager Dispatcher Script Creation
elasticlow
New Outlook Macro Created
sigmamedium
Outlook Macro Execution Without Warning Setting Enabled
sigmahigh
Persistence via Folder Action Script
elasticmedium
Persistence via PowerShell profile
elasticmedium
Persistence via WMI Event Subscription
elasticlow
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Application Shimming via Sdbinst
elasticlow
Potential Modification of Accessibility Binaries
elastichigh
Potential Persistence via Atom Init Script Modification
elasticlow
Potential Persistence via File Modification
elasticlow
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
sigmahigh
Potential release_agent Container Escape Detected via Defend for Containers
elasticmedium
Potential RemoteMonologue Attack
elasticmedium
Potential Suspicious File Edit
elasticlow
Python Path File (pth) Creation
elasticlow
Python Site or User Customize File Creation
elasticlow
Registry Persistence via AppCert DLL
elasticmedium
Registry Persistence via AppInit DLL
elasticmedium
RPM Package Installed by Unusual Parent Process
elasticlow
Screensaver Plist File Modified by Unexpected Process
elasticmedium
Shell Configuration Creation
elasticmedium
Suspicious Apple Mail Rule Plist Modification
elasticmedium
Suspicious APT Package Manager Execution
elasticlow
Suspicious APT Package Manager Network Connection
elasticmedium
Suspicious Calendar File Modification
elasticmedium
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious Emond Child Process
elasticmedium
Suspicious File Creation via Pkg Install Script
elastichigh
Suspicious Get-Variable.exe Creation
sigmahigh
Suspicious Outlook Macro Created
sigmahigh
Suspicious WerFault Child Process
elasticmedium
Suspicious WMI Event Subscription Created
elasticmedium
Systemd Generator Created
elasticmedium
Systemd-udevd Rule File Creation
elasticlow
Trap Signals Execution
elasticlow
Uncommon Registry Persistence Change
elasticmedium
Unexpected Child Process of macOS Screensaver Engine
elasticmedium
Unusual DPKG Execution
elasticmedium
Unusual Process Modifying GenAI Configuration File
elasticmedium
Unusual SSHD Child Process
elasticlow
Werfault ReflectDebugger Persistence
elasticlow
Windows AD AdminSDHolder ACL Modified
splunk_escu
Windows Compatibility Telemetry Suspicious Child Process
splunk_escu
Windows Compatibility Telemetry Tampering Through Registry
splunk_escu
Yum Package Manager Plugin File Creation
elasticmedium