T1546: Event Triggered Execution
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[1][2][3]
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[4][5][6]
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
Analyst context for executives and security teams
Event Triggered Execution matters because it turns normal automation features into durable access paths. Instead of running malware continuously, an adversary can configure an operating system, cloud service, office automation feature, or application mechanism to launch code only when a logon, application start, device event, cloud event, installer action, or similar trigger occurs. For leaders, the risk is persistence that blends into legitimate administration and may execute under more privileged accounts such as SYSTEM, root, or service accounts.
Executive priority
Prioritize this technique where privileged automation, endpoint configuration, cloud eventing, and office workflow automation are business-critical. The key governance question is whether the organization can prove who is allowed to create or modify event triggers, whether those changes are logged, and whether incident responders can quickly distinguish sanctioned automation from persistence. This is relevant to resilience and audit readiness because weak control over event-triggered mechanisms can allow access to survive reboots, user logoffs, software installs, or cloud account changes.
Technical view
ATT&CK maps T1546 to persistence and privilege escalation across Linux, macOS, Windows, SaaS, IaaS, and Office Suite platforms. The sub-techniques show that coverage must be platform-specific: Windows registry-backed mechanisms, WMI subscriptions, PowerShell profiles, screensavers, accessibility features, shims, IFEO, AppInit/AppCert DLLs, and Netsh helpers; Linux/macOS shell configuration, trap handling, installer scripts, udev rules, Python startup hooks, LC_LOAD_DYLIB, and emond; plus cloud and office automation that invokes code or workflows from events. Since MITRE provides no official detection text for this object, SOC teams should use the related detection strategy DET0010 as a validation theme: behavioral detection of new or modified event-triggered execution mechanisms across platforms, especially when the triggered action points to unusual scripts, binaries, cloud functions, or accounts with elevated permissions.
Likely telemetry
- Endpoint process creation and parent/child process relationships around logon, application start, installer execution, shell start, PowerShell start, and system service activity
- Windows Registry change telemetry for persistence-related trigger locations referenced by the sub-techniques
- WMI event filter, consumer, provider, and binding creation or modification events on Windows
- File creation and modification monitoring for shell profiles, PowerShell profiles, installer scripts, Python startup hook files, udev rules, macOS emond rules, and modified Mach-O load commands where applicable
- Cloud control-plane audit logs for creation or modification of event-driven functions, rules, services, roles, and permissions in IaaS environments
Detection direction
- Inventory legitimate event-triggered automation first; detections without an allowlisted baseline are likely to generate noisy alerts from administrators, installers, developers, and endpoint management tools.
- Alert on creation or modification of trigger mechanisms that launch unusual interpreters, scripts, binaries, DLLs, cloud functions, or office workflows, especially when created by non-administrative users or newly privileged accounts.
- Correlate trigger creation with subsequent execution under higher-privilege contexts such as SYSTEM, root, administrative, or service accounts, because the technique can support privilege escalation as well as persistence.
- Tune separately by platform and sub-technique. Windows registry and WMI logic will not cover Linux/macOS shell, udev, Python, installer, or emond mechanisms; endpoint coverage will not cover SaaS, IaaS, or Office Suite automation.
- Review relationship context for defensive relevance: ATT&CK links DET0010 to this technique, and software/campaign examples include macOS, IaaS, Linux, network-device-adjacent, and SOHO-device contexts, reinforcing the need to avoid Windows-only assumptions.
Mitigation priorities
- Apply privileged account management first: restrict who can create, modify, or execute event-triggered mechanisms; enforce least privilege and role-based access for administrators, service accounts, root/SYSTEM-equivalent functions, cloud roles, and office automation owners.
- Require logging and accountability for privileged automation changes across endpoints, cloud services, SaaS, and Office Suite environments.
- Maintain software updates for operating systems, applications, drivers, firmware, and relevant platform services to reduce exposure to known weaknesses that can enable or support persistence setup.
- Harden administrative workflows by separating routine user activity from automation-management permissions, especially for cloud event rules, office workflows, installer execution, and endpoint configuration mechanisms.
- Build recovery playbooks that include trigger enumeration and cleanup, not only malware file removal, because the persistence mechanism may reinvoke malicious content after reboot, logon, user activity, or cloud events.
Analyst notes and limits
This object is a parent ATT&CK technique with many platform-specific sub-techniques. The most useful assessment is therefore not whether T1546 is covered generically, but whether each relevant trigger class is inventoried, logged, and governed in the organization’s actual Windows, Linux, macOS, SaaS, IaaS, and Office Suite estate. Relationship context identifies DET0010 as a detection strategy and M1026 Privileged Account Management plus M1051 Update Software as mitigations. ATT&CK also relates this behavior to KV Botnet Activity and software including XCSSET, Pacu, and UPSTYLE, but those relationships should be used for context rather than assumptions about local exposure.
MITRE provides no official detection text for T1546 in the supplied fields. The supplied relationship descriptions are partial for some mitigations and sub-techniques. This take does not assert active exploitation, attribution, or confirmed detection coverage; local telemetry, asset scope, cloud/SaaS configuration, and approved automation baselines are required to determine actual risk and coverage.
Event Triggered Execution
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[1][2][3]
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[4][5][6]
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.002 | Screensaver Sub-technique | Screensaver subtechnique of this object. |
| Enterprise | T1546.013 | PowerShell Profile Sub-technique | PowerShell Profile subtechnique of this object. |
| Enterprise | T1546.016 | Installer Packages Sub-technique | Installer Packages subtechnique of this object. |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Windows Management Instrumentation Event Subscription subtechnique of this object. |
| Enterprise | T1546.006 | LC_LOAD_DYLIB Addition Sub-technique | LC_LOAD_DYLIB Addition subtechnique of this object. |
| Enterprise | T1546.018 | Python Startup Hooks Sub-technique | Python Startup Hooks subtechnique of this object. |
| Enterprise | T1546.011 | Application Shimming Sub-technique | Application Shimming subtechnique of this object. |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | Component Object Model Hijacking subtechnique of this object. |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Unix Shell Configuration Modification subtechnique of this object. |
| Enterprise | T1546.010 | AppInit DLLs Sub-technique | AppInit DLLs subtechnique of this object. |
| Enterprise | T1546.005 | Trap Sub-technique | Trap subtechnique of this object. |
| Enterprise | T1546.007 | Netsh Helper DLL Sub-technique | Netsh Helper DLL subtechnique of this object. |
| Enterprise | T1546.012 | Image File Execution Options Injection Sub-technique | Image File Execution Options Injection subtechnique of this object. |
| Enterprise | T1546.001 | Change Default File Association Sub-technique | Change Default File Association subtechnique of this object. |
| Enterprise | T1546.009 | AppCert DLLs Sub-technique | AppCert DLLs subtechnique of this object. |
| Enterprise | T1546.017 | Udev Rules Sub-technique | Udev Rules subtechnique of this object. |
| Enterprise | T1546.014 | Emond Sub-technique | Emond subtechnique of this object. |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | Accessibility Features subtechnique of this object. |
Groups, software, and campaigns
S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
S1164: UPSTYLE
S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
C0035: KV Botnet Activity
KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | a9cae8695590… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Backdooring an AWS account
Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022.
Open source URL -
[2]
Varonis Power Automate Data Exfiltration
Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
Open source URL -
[3]
Microsoft DART Case Report 001
Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022.
Open source URL -
[4]
FireEye WMI 2015
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
Open source URL -
[5]
Malware Persistence on OS X
Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
Open source URL -
[6]
amnesia malware
Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.
Open source URL -
[7]
mitre-attack T1546Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.