T1546

Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automa...

LinuxmacOSWindowsSaaSIaaSOffice Suite

Detections

Sources

Threat Actors

BY SOURCE

61elastic7sigma3splunk_escu

PROCEDURES (43)

Persist7 detections

Auto-extracted: 7 detections for persist

Registry5 detections

Auto-extracted: 5 detections for registry

Inject5 detections

Auto-extracted: 5 detections for inject

Registry Monitoring3 detections

Auto-extracted: 3 detections for registry monitoring

Parent Process3 detections

Auto-extracted: 3 detections for parent process

Service2 detections

Auto-extracted: 2 detections for service

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Container2 detections

Auto-extracted: 2 detections for container

Macro2 detections

Auto-extracted: 2 detections for macro

Macro2 detections

Auto-extracted: 2 detections for macro

Wmi2 detections

Auto-extracted: 2 detections for wmi

Persist2 detections

Auto-extracted: 2 detections for persist

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

C22 detections

Auto-extracted: 2 detections for c2

Startup2 detections

Auto-extracted: 2 detections for startup

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Child Process1 detections

Auto-extracted: 1 detections for child process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Child Process1 detections

Auto-extracted: 1 detections for child process

Child Process1 detections

Auto-extracted: 1 detections for child process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Api1 detections

Auto-extracted: 1 detections for api

Registry1 detections

Auto-extracted: 1 detections for registry

Inject1 detections

Auto-extracted: 1 detections for inject

Api1 detections

Auto-extracted: 1 detections for api

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

DETECTIONS (71)

APT Package Manager Configuration File Creation

elasticlow

AWS Lambda Function Policy Updated to Allow Public Invocation