Event Triggered Execution T1546
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
Events covered
32 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 139 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (61 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (657 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (203 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 75 rules
- AdminSDHolder permissions changed for persistence
- Change Default File Association To Executable Via Assoc
- Change Default File Association Via Assoc
- COM Hijack via Sdclt
- COM Hijacking via TreatAs
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Control Panel Items
- HAFNIUM Exchange Exploitation Activity
- MSSQL Extended Stored Procedure Backdoor Maggie
- Netsh helper DLL abuse (process)
- Netsh helper DLL abuse (Reg via Sysmon)
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- New DLL Added to AppCertDlls Registry Key
- New DLL Added to AppInit_DLLs Registry Key
- New Netsh Helper DLL Registered From A Suspicious Location
- New Outlook Macro Created
- Outlook Macro Execution Without Warning Setting Enabled
- Path To Screensaver Binary Modified
- Persistence Via Sticky Key Backdoor
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential Persistence Using DebugPath
- Potential Persistence Via App Paths Default Property
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- Potential Persistence Via GlobalFlags
- Potential Persistence Via Netsh Helper DLL
- Potential Persistence Via Netsh Helper DLL - Registry
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Potential Persistence Via Scrobj.dll COM Hijacking
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential PSFactoryBuffer COM Hijacking
- Potential Remote WMI ActiveScriptEventConsumers Activity
- Potential Shim Database Persistence via Sdbinst.EXE
- Potential Suspicious Activity Using SeCEdit
- PowerShell Profile Modification
- Powershell WMI Persistence
- Registry Modification of MS-settings Protocol Handler
- Rundll32 Registered COM Objects
- Session Manager Autorun Keys Modification
- Shell Open Registry Keys Manipulation
- SOURGUM Actor Behaviours
- Stickey key called CMD via command execution
- Stickey key called CMD via command execution (hash detection)
- Stickey key IFEO (Reg via command)
- Stickey key IFEO registry changed (Reg via Sysmon)
- Sticky key file created from CMD copy
- Sticky Key Like Backdoor Execution
- Sticky Key Like Backdoor Usage - Registry
- Sticky key sethc command for replacement by CMD
- Sticky key sethc file failed replacement
- Suspicious Debugger Registration Cmdline
- Suspicious Encoded Scripts in a WMI Consumer
- Suspicious Get-Variable.exe Creation
- Suspicious GetTypeFromCLSID ShellExecute
- Suspicious Outlook Macro Created
- Suspicious ScreenSave Change by Reg.exe
- Suspicious Screensaver Binary File Creation
- Suspicious Shell Open Command Registry Modification
- Suspicious Shim Database Patching Activity
- System crash behavior manipulation - WMImplant (registry)
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- VsCode Powershell Profile Modification
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription
- WMI Persistence
- WMI Persistence - Command Line Event Consumer
- WMI Persistence - Script Event Consumer
- WMI Persistence - Script Event Consumer File Write
- WMI Persistence - Security
- WMI registration
- WMI registration (PowerShell)
- Writing Local Admin Share
Elastic 15 rules
- Component Object Model Hijacking
- Image File Execution Options Injection
- Installation of Custom Shim Databases
- Mofcomp Activity
- Netsh Helper DLL
- Persistence via WMI Event Subscription
- Potential Application Shimming via Sdbinst
- Potential Modification of Accessibility Binaries
- Potential RemoteMonologue Attack
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL
- Suspicious WerFault Child Process
- Suspicious WMI Event Subscription Created
- Uncommon Registry Persistence Change
- Werfault ReflectDebugger Persistence
Splunk 39 rules
- Access Common Package Config file (EDR)
- Access Common Package Config file (PowerShell)
- Access Common Package Config file (Sysmon)
- Access Common Package Config file (Windows Event Log)
- Command Line Utility Added to Accessibility Features (PowerShell)
- Command Line Utility Added to Accessibility Features (Sysmon)
- Command Line Utility Added to Accessibility Features (Windows Event Log)
- Detect WMI Event Subscription Persistence
- Overwriting Accessibility Binaries
- Powershell COM Hijacking InprocServer32 Modification
- Powershell Execute COM Object
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Rundll32 Spawned by Disk Cleanup (Sysmon)
- Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Screensaver Event Trigger Execution
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Suspicious DLLhost Execution (EDR)
- Suspicious DLLhost Execution (PowerShell)
- Suspicious DLLhost Execution (Windows Event Log)
- Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
- Suspicious InprocServer32 Registry Modification (Sysmon)
- Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Suspicious Registry Key Created (PowerShell)
- Suspicious Registry Key Created (Windows Event Log)
- Windows AD AdminSDHolder ACL Modified
- Windows AppCertDLL Modification Via Command Line
- Windows Change File Association Command To Notepad
- Windows COM Hijacking InprocServer32 Modification
- Windows Compatibility Telemetry Suspicious Child Process
- Windows Compatibility Telemetry Tampering Through Registry
- Windows Event Triggered Image File Execution Options Injection
- Windows MOF Event Triggered Execution via WMI
- Windows New Default File Association Value Set
- WMI Permanent Event Subscription - Sysmon
- WMI subscription execution (Sysmon)
- WMI subscription execution (Windows Event Log)
Kusto 10 rules
- Caramel Tsunami Actor IOC - July 2021
- Component Object Model Hijacking - Vault7 trick
- Modification of Accessibility Features
- Powershell Empire Cmdlets Executed in Command Line
- Registry Persistence via AppCert DLL Modification
- Registry Persistence via AppInit DLLs Modification
- SUNBURST and SUPERNOVA backdoor hashes
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- SUNBURST network beacons
- Zinc Actor IOCs files - October 2022