Event Triggered Execution (T1546)

View on ATT&CK

In Playbook

Associated Tactics

  • Privilege Escalation
  • Persistence

Privilege Escalation (TA0004)

The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

View on ATT&CK

Procedure Examples

Description Source(s)
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. FireEye WMI 2015
Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022. Microsoft DART Case Report 001
Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. amnesia malware
Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022. Backdooring an AWS account
Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022. Varonis Power Automate Data Exfiltration
Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. Malware Persistence on OS X