Event Triggered Execution T1546

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Events covered

32 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 19WmiEvent (WmiEventFilter activity detected)
SysmonEvent ID 20WmiEvent (WmiEventConsumer activity detected)
SysmonEvent ID 21WmiEvent (WmiEventConsumerToFilter activity detected)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceFileEventsanyFile activity (any)
Defender-DeviceNetworkEventsanyNetwork activity (any)
Defender-DeviceNetworkEventsConnectionSuccessConnection succeeded
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
MSSQLSERVEREvent ID 8128Event ID 8128
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
ProcessExitMonitorEvent ID 3000The process 'param1' exited with exit code param2.
WMI-ActivityEvent ID 21WMI Events were bound.
WMI-ActivityEvent ID 5859Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.
WMI-ActivityEvent ID 5861Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 139 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (61 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine38contains 28, regex_match 7, ends_with 2, in 2, match 2, eq 1, is_null 1(?i)(vi|vim|nano|visudo|edit|copy\s+con|cat|more|gc|get-c..., (?i)Debugger.+\x5c(cmd|pwsh|powershell)\.exe, add, displayswitch.exe, (?i)(sethc|utilman|osk|Magnify|Narrator|DisplaySwitch|atb...
TargetObject37contains 17, ends_with 16, wildcard 5, eq 1, match 1, starts_with 1\software\microsoft\netsh, \software\microsoft\windows..., \software\microsoft\windows nt\currentversion\image file..., (?i)debugger, (default)
Image35ends_with 25, eq 7, contains 6, starts_with 2\cmd.exe, \reg.exe, \netsh.exe, \outlook.exe, \powershell.exe
EventID27eq 274688, 1, 13, 4104, 4103
Details24contains 11, eq 8, is_not_null 2, length_compare 2, ge 1, is_null 1, match 1, regex_match 1, wildcard 1(Empty), %temp%, %appdata%, %tmp%, 0
process_name15eq 7, match 4, ends_with 2, regex_match 2(?i)(cmd|cscript|mshta|powershell|pwsh|regsvr32|rundll32|..., (?i)dllhost, (?i)rundll32\.exe, mofcomp.exe, sdbinst.exe
OriginalFileName14eq 13, starts_with 1cmd.exe, reg.exe, powershell.exe, pwsh.dll, sdbinst.exe
event.type13eq 13change, start
parent_process_name13eq 3, regex_match 3, contains 2, match 2, ends_with 1, in 1, is_null 1(?i)(WmiPrvSE), (?i)cleanmgr\.exe, (?i)winlogon\.exe, CompatTelRunner.exe, Utilman.exe
TargetFilename10ends_with 7, contains 3\microsoft\outlook\vbaproject.otm, .scr, \\\\127.0.0, \\\\windows\\\\system32\\\\atbroker.exe, \\\\windows\\\\system32\\\\displayswitch.exe
EventType7eq 6, ne 1SetValue, AUDIT_FAILURE, ConnectionSuccess, CreateKey, RegistryValueSet
ParentImage7ends_with 6, eq 1\winlogon.exe, \edgetransport.exe, \msiexec.exe, \services.exe, \svchost.exe
Type7eq 7
registry_value_name7eq 6, match 1Debugger, (?i)(cmd|pwsh|powershell)\.exe, AppInit_Dlls, Command, GlobalFlag
ScriptBlockText6contains 4, eq 2*createinstance([type]::gettypefromclsid*, *software\\classes\\clsid\\*\\inprocserver32*, -classname __eventfilter , -classname commandlineeventconsumer , -namespace root/subscription

Top indicator values (657 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4688
10312
EventIDeq
1
6232
EventIDeq
13
422
EventIDeq
4104
4268
event.typeeq
change
846
event.typeeq
start
5241
Imageends_with
\cmd.exe
5134
Imageends_with
\reg.exe
460
Imageends_with
\netsh.exe
329
Imageends_with
\powershell.exe
3186
Imageends_with
\pwsh.exe
3172
CommandLinecontains
add
436
CommandLinecontains
sethc.exe
44
CommandLinecontains
displayswitch.exe
33
CommandLinecontains
magnify.exe
33
CommandLinecontains
narrator.exe
33
CommandLinecontains
osk.exe
33
CommandLinecontains
reg add
314
CommandLinecontains
utilman.exe
33
CommandLineregex_match
(?i)(vi|vim|nano|visudo|edit|copy\s+con|cat|more|gc|get-content|type|\>\>|\>)...
44
Detailseq
(Empty)
424
OriginalFileNameeq
reg.exe
442
Detailscontains
%temp%
35
Detailscontains
%tmp%
35
Detailscontains
\appdata\local\temp\
39
Detailscontains
\contacts\
34
Detailscontains
\pictures\
33
Detailscontains
\windows\temp\
35
EventLogeq
Microsoft-Windows-Sysmon/Operational
310
EventTypeeq
SetValue
36

Exclusions (203 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
(Empty)
4
Imageeq
c:\windows\system32\svchost.exe
3
Imageeq
c:\windows\system32\msiexec.exe
2
Imagewildcard
?:\windows\system32\msiexec.exe
2
user.ideq
S-1-5-18
2
CommandLinecontains
-m -bg
1
CommandLinecontains
-m:
1
CommandLinecontains
/s
1
CommandLinecontains
%system%
1
CommandLinecontains
.exe=exefile
1
CommandLinecontains
.sdb
1
CommandLinecontains
:\program files (x86)\iis express\iisexpressshim.sdb
1
CommandLinecontains
:\program files\iis express\iisexpressshim.sdb
1
CommandLinecontains
\system32\
1
CommandLinecontains
igfxcpl.cpl
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 75 rules

Elastic 15 rules

Splunk 39 rules

Kusto 10 rules