# T1546 Event Triggered Execution

-----------------------------------------------------------------------

## Technique Description

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. 

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. 

## Technique Detection

Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. 

These mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. 

Monitor for processes, API/System calls, and other common ways of manipulating these event repositories. 

Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.  

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. 

-----------------------------------------------------------------------

### Tactics:

  * Privilege-Escalation

  * Persistence

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Windows Registry:** Windows Registry Key Modification

  * **Process:** Process Creation

  * **File:** File Metadata

  * **File:** File Modification

  * **File:** File Creation

  * **Module:** Module Load

  * **WMI:** WMI Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1546)

  * [Fireeye Wmi 2015](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf), Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.

  * [Malware Persistence On Os X](https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf), Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.

  * [Amnesia Malware](https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/), Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 20 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Zachary Burke

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- There is a plethora of ways to accomplish this technique and hunting for this may take a considerable amount of time.

## Analytical References

- https://attack.mitre.org/techniques/T1546/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1546.003/T1546.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md
- https://docs.microsoft.com/en-us/windows/deployment/planning/using-the-sdbinstexe-command-line-tool
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
- https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity.
- Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.
- Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process.
- Concerning accessibility features, one could attach cmd.exe to a benign process
    - On-Screen Keyboard: C:\Windows\System32\osk.exe
    - Magnifier: C:\Windows\System32\Magnify.exe
    - Narrator: C:\Windows\System32\Narrator.exe
    - Display Switcher: C:\Windows\System32\DisplaySwitch.exe
    - App Switcher: C:\Windows\System32\AtBroker.exe
    - Shift Key (pressed 5 times): C:\Windows\System32\sethc.exe
    - Windows + U key combination: C:\Windows\System32\utilman.exe

#### Analytic 1

  * **Information:** Change Default File Association

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Look for differing file extensions being made, such as: assoc .hta=notepad.exe

  * **Query:** ```process.name : assoc AND process.command.line : *```


#### Analytic 2

  * **Information:** Screensaver

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Search for .scr files being saved here and if those .scr files are suspicious or not.

  * **Query:** ```Kibana process.name : reg.exe AND registry.key : HKCU\Control Panel\Desktop\*```


#### Analytic 3

  * **Information:** WMI Event Subscription

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Look for these event ids as there are likely a low amount of them and should immediately cause suspicion.

  * **Query:** ```event.code : 19 or 20 or 21 or 5861```


#### Analytic 4

  * **Information:** Accessibility Features (Sticky Keys; sethc.exe)

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Check for exe files being added to the mentioned reg key see hunter notes

  * **Query:** ```registry.key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*```


#### Analytic 5

  * **Information:** AppInit DLLs

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** A malicious user will modify the AppInit_DLL value. AppInit_DLL is universally linked to user32.dll, and every time user32 runs, the malicious dll will also run. Look at the following values:
    - AppInit_DLLs (should be null)
    - LoadAppInit_DLLs (should be 0)
    - RequiresSignedAppInit_DLLs (should be 1)

  * **Query_1:** ```registry.value : *AppInit*```
  
  * **Query_2:** ```registry.path : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs```


#### Analytic 6

  * **Information:** Image File Execution Options (IFEO) Injection

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Look in this registry key for any suspicious activities

  * **Query_1:** ```process.name : reg.exe AND process.command.line : *add*```
  
  * **Query_2:** ```registry.path : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*```


#### Analytic 7

  * **Information:** PowerShell Profile

  * **Source:** SYSMON

  * **Tool:** Kibana

  * **Notes:** Look for new profiles being created or previous ones being edited.

  * **Query_1:** ```event.code : 11 and file.name : *profile*.ps1```


#### Analytic 6

  * **Information:** Component Object Model Hijacking

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Searching for InprocServer32 look at process name, registry path, registry value, and winlog.event_data.details

  * **Query_1:** ```*InprocServer32*```
      - Note: This is a "fuzzy" / sloppy search. Keep your resource utilization in-mind when performing these kind of regex operations!!!
  
  * **Query_2:** ```registry.path : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID*```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

