Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[1][2][3]
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[4][5][6]
Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.
| ID | Name | Description |
|---|---|---|
| C0035 | KV Botnet Activity |
KV Botnet Activity involves managing events on victim systems via |
| S1091 | Pacu |
Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.[8] |
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1051 | Update Software |
Perform regular software updates to mitigate exploitation risk. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0025 | Cloud Service | Cloud Service Modification |
Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| DS0022 | File | File Creation |
Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| File Metadata |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. |
||
| File Modification |
Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
||
| DS0011 | Module | Module Load |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. |
| DS0009 | Process | Process Creation |
Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
| DS0005 | WMI | WMI Creation |
Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |