T1546.016: Installer Packages
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.[1]
Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a Launch Daemon) with the elevated permissions.[2][3][4][5]
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.
For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.[6]
Analyst context for executives and security teams
Installer packages matter because they are a trusted path for getting code onto endpoints and often run setup scripts with elevated permissions. A malicious or modified installer can turn a normal software installation into persistence or privilege escalation across Windows, macOS, or Linux. For leaders, the key issue is not just malware in an installer, but whether the organization can prove which installers are trusted, what scripts they execute, and whether endpoint telemetry would show unexpected post-install activity.
Executive priority
Prioritize this where users, IT teams, developers, or CI/CD workflows routinely install third-party software or packages. The business risk is that software installation workflows can bypass normal suspicion because they look like approved administration. This technique supports persistence and privilege escalation, so it is relevant to incident response readiness, endpoint control governance, software supply-chain risk, and audit evidence around privileged software deployment.
Technical view
This is a sub-technique of Event Triggered Execution covering installer scripts and installation routines on Linux, macOS, and Windows. Validate visibility into macOS pre/post-install scripts, Linux maintainer scripts such as preinst, postinst, prerm, and postrm, and Windows MSI installation actions. SOC and IR teams should examine whether elevated child processes, dropped executables, Launch Daemon creation, dependency downloads, or other post-install changes are captured and correlated to the originating installer package. ATT&CK also links this technique to DET0330, a detection strategy for installer-package event-triggered execution, and to examples including AppleJeus, Shai-Hulud, and the 3CX Supply Chain Attack context.
Likely telemetry
- Endpoint process creation and parent-child process relationships during software installation
- Installer execution records for .msi packages on Windows
- macOS package install logs and execution of preinstall or postinstall scripts
- Linux package manager logs and maintainer script execution evidence
- File creation or modification events following installer execution
Detection direction
- Baseline legitimate installer behavior by platform so unusual child processes, script execution, or file writes are reviewable without overwhelming analysts.
- Correlate elevated post-install execution with the installer source, package identity, user, host, and subsequent persistence changes.
- Tune detections for installer-spawned executables or scripts that perform actions not typical for the software being installed, while accounting for legitimate enterprise deployment tools.
- Review DET0330 as the ATT&CK-linked detection strategy and map it to locally available endpoint, package manager, and OS installation telemetry.
- Watch for blind spots where installation logs are collected but script contents, child processes, or elevated context are not retained.
Mitigation priorities
- Maintain controlled software sources and approval processes for installer packages used by employees, IT, and development teams.
- Limit administrative installation rights where operationally feasible and require accountable elevation workflows.
- Validate installer package integrity and provenance before deployment, especially for third-party or externally obtained software.
- Harden and monitor persistence locations that installers may modify, including macOS Launch Daemons where relevant.
- Ensure incident response playbooks include review of recent software installations, installer scripts, and post-install artifacts when investigating persistence or privilege escalation.
Analyst notes and limits
The supplied ATT&CK object provides no official detection text, so this take derives defensive direction from the description, platforms, tactics, and relationship context. The relationship to the 3CX Supply Chain Attack and named software shows ATT&CK-documented relevance to supply-chain-style installer abuse, but local exposure depends on actual software acquisition and installation practices.
This summary does not assert current exploitation, attribution, or confirmed detection coverage. Platform applicability is limited to Linux, macOS, and Windows as supplied. Specific detection logic, event IDs, and vendor controls require local telemetry validation and are not provided in the official fields here.
Installer Packages
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.[1]
Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a Launch Daemon) with the elevated permissions.[2][3][4][5]
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.
For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.[6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
Groups, software, and campaigns
S0584: AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[1]
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
C0057: 3CX Supply Chain Attack
The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 060593e6eee0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Installer Package Scripting Rich Trouton
Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.
Open source URL -
[2]
Application Bundle Manipulation Brandon Dalton
Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
Open source URL -
[3]
wardle evilquest parti
Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
Open source URL -
[4]
Windows AppleJeus GReAT
Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022.
Open source URL -
[5]
Debian Manual Maintainer Scripts
Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022.
Open source URL -
[6]
Microsoft Installation Procedures
Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.
Open source URL -
[7]
mitre-attack T1546.016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.