Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0010: Behavioral Detection of Event Triggered Execution Across Platforms

This detection strategy matters because event-triggered execution is a persistence and privilege-escalation pattern: code runs when a system, user, applica...

EnterpriseDET0010Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because event-triggered execution is a persistence and privilege-escalation pattern: code runs when a system, user, application, or cloud event occurs. For leaders, the risk is not just malware execution; it is hidden re-entry that can survive reboots, user logons, application activity, or cloud workflow events. Because the official detection strategy has no supplied detection text, teams should treat this as a coverage-validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this as a resilience and incident-readiness issue for environments where the related ATT&CK technique T1546 is relevant: Linux, macOS, Windows, and SaaS. Executives should ask whether SOC and IR teams can inventory, monitor, and explain event-based execution mechanisms across endpoint and cloud/SaaS estates. The business decision value is in proving that persistence paths are governed, logged, and reviewable for audits, incident containment, and recovery decisions.

Technical view

The supplied relationship says DET0010 detects T1546 Event Triggered Execution, which is associated with persistence and privilege escalation. Detection engineering should validate behavioral coverage for new, modified, or suspicious event subscriptions, triggers, automation rules, login/startup handlers, and cloud/SaaS event-invoked functions where applicable. Because the detection strategy object does not provide official detection logic, teams should map local telemetry and analytics to the related technique rather than assuming ATT&CK provides complete implementation guidance.

Likely telemetry

  • Endpoint process creation and parent/child process relationships
  • Operating system event logs related to logon, startup, service, scheduled, or event subscription activity
  • Configuration-change telemetry for event handlers, trigger registrations, automation rules, or similar mechanisms
  • File and registry or equivalent OS configuration changes where event-triggered execution is configured
  • Cloud or SaaS audit logs for event-driven automation, functions, workflow triggers, and permission changes

Detection direction

  • Build or review analytics around behavior: creation or modification of event-triggered execution mechanisms followed by execution of unusual commands, scripts, binaries, or cloud actions.
  • Tune for administrative and automation noise by baselining known management tools, deployment systems, and legitimate SaaS workflows.
  • Correlate trigger creation with account context, privilege level, source location, and subsequent execution to reduce false positives.
  • Validate coverage separately across Linux, macOS, Windows, and SaaS where those environments exist; event-trigger mechanisms and logs differ significantly by platform.
  • During incident response, inspect event-based persistence locations and cloud/SaaS automation paths, not only running processes or recently executed files.

Mitigation priorities

  • Maintain an inventory of approved event-triggered execution mechanisms and owners.
  • Restrict who can create or modify system, endpoint, cloud, and SaaS triggers that execute code or actions.
  • Require change control and review for automation that can execute with elevated or persistent privileges.
  • Ensure logging is enabled and retained for configuration changes and triggered executions across endpoint and SaaS environments.
  • Include event-triggered persistence checks in incident response playbooks and recovery validation before returning systems or accounts to normal operations.
Analyst notes and limits

This Glexia take is based on the detection strategy metadata and its relationship to ATT&CK technique T1546. The object name indicates a behavioral detection approach across platforms, while the relationship provides the relevant tactics and platforms through the detected technique. The most useful next step is local control and telemetry validation: confirm which event-trigger mechanisms exist in the environment and whether the SOC can detect suspicious creation, modification, and execution behavior.

The official object supplies no description, no official detection text, and no object-level platforms or tactics. Platform and tactic discussion is derived only from the related T1546 technique context. No claim is made about active exploitation, attribution, vendor coverage, or guaranteed detection.

Official MITRE ATT&CK definition

Behavioral Detection of Event Triggered Execution Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object detects Event Triggered Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1546: Event Triggered Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f3bccf3c0e2da95b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f3bccf3c0e2d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use