Event Triggered Execution T1546
Tactics: Privilege Escalation, Persistence
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
Events covered
36 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 212 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (128 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1452 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (632 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 77 rules
- AdminSDHolder permissions changed for persistence
- Change Default File Association To Executable Via Assoc
- Change Default File Association Via Assoc
- COM Hijack via Sdclt
- COM Hijacking via TreatAs
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Control Panel Items
- HAFNIUM Exchange Exploitation Activity
- MacOS Emond Launch Daemon
- MSSQL Extended Stored Procedure Backdoor Maggie
- Netsh helper DLL abuse (process)
- Netsh helper DLL abuse (Reg via Sysmon)
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- New DLL Added to AppCertDlls Registry Key
- New DLL Added to AppInit_DLLs Registry Key
- New Netsh Helper DLL Registered From A Suspicious Location
- New Outlook Macro Created
- Outlook Macro Execution Without Warning Setting Enabled
- Path To Screensaver Binary Modified
- Persistence Via Sticky Key Backdoor
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential Persistence Using DebugPath
- Potential Persistence Via App Paths Default Property
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- Potential Persistence Via GlobalFlags
- Potential Persistence Via Netsh Helper DLL
- Potential Persistence Via Netsh Helper DLL - Registry
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Potential Persistence Via Scrobj.dll COM Hijacking
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential PSFactoryBuffer COM Hijacking
- Potential Remote WMI ActiveScriptEventConsumers Activity
- Potential Shim Database Persistence via Sdbinst.EXE
- Potential Suspicious Activity Using SeCEdit
- PowerShell Profile Modification
- Powershell WMI Persistence
- Registry Modification of MS-settings Protocol Handler
- Rundll32 Registered COM Objects
- Session Manager Autorun Keys Modification
- Shell Open Registry Keys Manipulation
- SOURGUM Actor Behaviours
- Stickey key called CMD via command execution
- Stickey key called CMD via command execution (hash detection)
- Stickey key IFEO (Reg via command)
- Stickey key IFEO registry changed (Reg via Sysmon)
- Sticky key file created from CMD copy
- Sticky Key Like Backdoor Execution
- Sticky Key Like Backdoor Usage - Registry
- Sticky key sethc command for replacement by CMD
- Sticky key sethc file failed replacement
- Suspicious Debugger Registration Cmdline
- Suspicious Encoded Scripts in a WMI Consumer
- Suspicious Get-Variable.exe Creation
- Suspicious GetTypeFromCLSID ShellExecute
- Suspicious Outlook Macro Created
- Suspicious ScreenSave Change by Reg.exe
- Suspicious Screensaver Binary File Creation
- Suspicious Shell Open Command Registry Modification
- Suspicious Shim Database Patching Activity
- System crash behavior manipulation - WMImplant (registry)
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Unix Shell Configuration Modification
- VsCode Powershell Profile Modification
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription
- WMI Persistence
- WMI Persistence - Command Line Event Consumer
- WMI Persistence - Script Event Consumer
- WMI Persistence - Script Event Consumer File Write
- WMI Persistence - Security
- WMI registration
- WMI registration (PowerShell)
- Writing Local Admin Share
Elastic 62 rules
- APT Package Manager Configuration File Creation
- AWS Lambda Function Policy Updated to Allow Public Invocation
- Azure Automation Webhook Created
- Bash Shell Profile Modification
- Component Object Model Hijacking
- Curl Execution via Shell Profile
- D-Bus Service Created
- DNF Package Manager Plugin File Creation
- Docker Release File Creation
- DPKG Package Installed by Unusual Parent Process
- Emond Rules Creation or Modification
- Executable Bit Set for Potential Persistence Script
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Created or Modified
- Git Hook Egress Network Connection
- GitHub Actions Workflow Modification Blocked
- Image File Execution Options Injection
- Installation of Custom Shim Databases
- Kubernetes Admission Webhook Created or Modified
- Modification of Persistence Relevant Files Detected via Defend for Containers
- Mofcomp Activity
- Netsh Helper DLL
- Network Connection Initiated by Suspicious SSHD Child Process
- NetworkManager Dispatcher Script Creation
- Persistence via Folder Action Script
- Persistence via PowerShell profile
- Persistence via WMI Event Subscription
- Pod or Container Creation with Suspicious Command-Line
- Potential Application Shimming via Sdbinst
- Potential Modification of Accessibility Binaries
- Potential Persistence via Atom Init Script Modification
- Potential Persistence via File Modification
- Potential release_agent Container Escape Detected via Defend for Containers
- Potential RemoteMonologue Attack
- Potential Suspicious File Edit
- Python Path File (pth) Creation
- Python Site or User Customize File Creation
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL
- RPM Package Installed by Unusual Parent Process
- Screensaver Plist File Modified by Unexpected Process
- Shell Configuration Creation
- Suspicious Apple Mail Rule Plist Modification
- Suspicious APT Package Manager Execution
- Suspicious APT Package Manager Network Connection
- Suspicious Calendar File Modification
- Suspicious Echo or Printf Execution Detected via Defend for Containers
- Suspicious Emond Child Process
- Suspicious File Creation via Pkg Install Script
- Suspicious WerFault Child Process
- Suspicious WMI Event Subscription Created
- Systemd Generator Created
- Systemd-udevd Rule File Creation
- Trap Signals Execution
- Uncommon Registry Persistence Change
- Unexpected Child Process of macOS Screensaver Engine
- Unusual DPKG Execution
- Unusual Process Modifying GenAI Configuration File
- Unusual SSHD Child Process
- Werfault ReflectDebugger Persistence
- Yum Package Manager Plugin File Creation
Splunk 42 rules
- Access Common Package Config file (EDR)
- Access Common Package Config file (PowerShell)
- Access Common Package Config file (Sysmon)
- Access Common Package Config file (Windows Event Log)
- Command Line Utility Added to Accessibility Features (PowerShell)
- Command Line Utility Added to Accessibility Features (Sysmon)
- Command Line Utility Added to Accessibility Features (Windows Event Log)
- Detect WMI Event Subscription Persistence
- Linux Auditd Unix Shell Configuration Modification
- Linux File Creation In Profile Directory
- Linux Possible Append Command To Profile Config File
- Overwriting Accessibility Binaries
- Powershell COM Hijacking InprocServer32 Modification
- Powershell Execute COM Object
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Rundll32 Spawned by Disk Cleanup (Sysmon)
- Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Screensaver Event Trigger Execution
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Suspicious DLLhost Execution (EDR)
- Suspicious DLLhost Execution (PowerShell)
- Suspicious DLLhost Execution (Windows Event Log)
- Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
- Suspicious InprocServer32 Registry Modification (Sysmon)
- Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Suspicious Registry Key Created (PowerShell)
- Suspicious Registry Key Created (Windows Event Log)
- Windows AD AdminSDHolder ACL Modified
- Windows AppCertDLL Modification Via Command Line
- Windows Change File Association Command To Notepad
- Windows COM Hijacking InprocServer32 Modification
- Windows Compatibility Telemetry Suspicious Child Process
- Windows Compatibility Telemetry Tampering Through Registry
- Windows Event Triggered Image File Execution Options Injection
- Windows MOF Event Triggered Execution via WMI
- Windows New Default File Association Value Set
- WMI Permanent Event Subscription - Sysmon
- WMI subscription execution (Sysmon)
- WMI subscription execution (Windows Event Log)
Kusto 29 rules
- [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022
- ApexOne - Possible exploit or execute operation
- BTP - Cloud Integration artifact deployment
- BTP - Cloud Integration package import or transport
- Caramel Tsunami Actor IOC - July 2021
- Component Object Model Hijacking - Vault7 trick
- Copilot - Plugin Created by Non-Admin User
- Dataminr - urgent alerts detected
- Defender Alert Evidence
- Egress Defend - Dangerous Attachment Detected
- Generate alerts based on ExtraHop detections recommended for triage
- KnowBe4 Defend - Dangerous Attachment Detected
- Mimecast Secure Email Gateway - Internal Email Protect
- Mimecast Secure Email Gateway - Internal Email Protect
- Modification of Accessibility Features
- Powershell Empire Cmdlets Executed in Command Line
- Registry Persistence via AppCert DLL Modification
- Registry Persistence via AppInit DLLs Modification
- Rubrik Threat Monitoring
- SUNBURST and SUPERNOVA backdoor hashes
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- SUNBURST network beacons
- Vectra Create Detection Alert for Accounts
- Vectra Create Detection Alert for Hosts
- Vectra Create Incident Based on Priority for Accounts
- Vectra Create Incident Based on Priority for Hosts
- Vectra Create Incident Based on Tag for Accounts
- Vectra Create Incident Based on Tag for Hosts
- Zinc Actor IOCs files - October 2022