Esc
Event Triggered Execution - T1546
(ATT&CK® Technique)
Definition
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1546["Event Triggered Execution"] --> |creates| Shim["Shim"]; class T1546 OffensiveTechniqueNode; class Shim ArtifactNode; click Shim href "/dao/artifact/d3f:Shim"; click T1546 href "/offensive-technique/attack/T1546/"; click Shim href "/dao/artifact/d3f:Shim"; T1546["Event Triggered Execution"] --> |invokes| CreateProcess["Create Process"]; class T1546 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1546 href "/offensive-technique/attack/T1546/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1546["Event Triggered Execution"] --> |modifies| EventLog["Event Log"]; class T1546 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1546 href "/offensive-technique/attack/T1546/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1546["Event Triggered Execution"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546 OffensiveTechniqueNode; class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; click T1546 href "/offensive-technique/attack/T1546/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; T1546["Event Triggered Execution"] --> |creates| ExecutableFile["Executable File"]; class T1546 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1546["Event Triggered Execution"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1546 href "/offensive-technique/attack/T1546/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1546["Event Triggered Execution"] --> |may-create| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-create| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-modify| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546 OffensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; click T1546 href "/offensive-technique/attack/T1546/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; T1546["Event Triggered Execution"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546 OffensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; click T1546 href "/offensive-technique/attack/T1546/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; T1546["Event Triggered Execution"] --> |modifies| ShimDatabase["Shim Database"]; class T1546 OffensiveTechniqueNode; class ShimDatabase ArtifactNode; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; T1546["Event Triggered Execution"] --> |executes| Command["Command"]; class T1546 OffensiveTechniqueNode; class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command"; click T1546 href "/offensive-technique/attack/T1546/"; click Command href "/dao/artifact/d3f:Command"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1546["Event Triggered Execution"] --> |produces| Process["Process"]; class T1546 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1546 href "/offensive-technique/attack/T1546/"; click Process href "/dao/artifact/d3f:Process"; DecoyFile["Decoy File"] --> | spoofs | UserInitConfigurationFile["User Init Configuration File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1546["Event Triggered Execution"] ; class DecoyFile DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableScript["Executable Script"]; class DecoyFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | PropertyListFile["Property List File"]; class DecoyFile DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | PowerShellProfileScript["PowerShell Profile Script"]; class DecoyFile DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class DynamicAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class ConnectionAttemptAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableScript["Executable Script"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | PropertyListFile["Property List File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessSuspension["Process Suspension"] --> | suspends | Process["Process"]; ProcessSuspension["Process Suspension"] -.-> | may-evict | T1546["Event Triggered Execution"] ; class ProcessSuspension DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] --> | terminates | Process["Process"]; HostShutdown["Host Shutdown"] -.-> | may-evict | T1546["Event Triggered Execution"] ; class HostShutdown DefensiveTechniqueNode; class Process ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; ProcessTermination["Process Termination"] -.-> | may-evict | T1546["Event Triggered Execution"] ; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; FileEviction["File Eviction"] --> | deletes | ExecutableScript["Executable Script"]; FileEviction["File Eviction"] -.-> | may-evict | T1546["Event Triggered Execution"] ; class FileEviction DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | ExecutableFile["Executable File"]; class FileEviction DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | PropertyListFile["Property List File"]; class FileEviction DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | UserInitConfigurationFile["User Init Configuration File"]; class FileEviction DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | ExecutableBinary["Executable Binary"]; class FileEviction DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | SharedLibraryFile["Shared Library File"]; class FileEviction DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | PowerShellProfileScript["PowerShell Profile Script"]; class FileEviction DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | ExecutableScript["Executable Script"]; FileEncryption["File Encryption"] -.-> | may-harden | T1546["Event Triggered Execution"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] --> | updates | Shim["Shim"]; SoftwareUpdate["Software Update"] -.-> | may-harden | T1546["Event Triggered Execution"] ; class SoftwareUpdate DefensiveTechniqueNode; class Shim ArtifactNode; click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; FileEncryption["File Encryption"] --> | encrypts | PowerShellProfileScript["PowerShell Profile Script"]; class FileEncryption DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] --> | restricts | SystemConfigurationDatabase["System Configuration Database"]; SystemConfigurationPermissions["System Configuration Permissions"] -.-> | may-harden | T1546["Event Triggered Execution"] ; class SystemConfigurationPermissions DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | UserInitConfigurationFile["User Init Configuration File"]; class FileEncryption DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | PropertyListFile["Property List File"]; class FileEncryption DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class ExecutableDenylisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] --> | isolates | Process["Process"]; Application-basedProcessIsolation["Application-based Process Isolation"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class Application-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] --> | isolates | Process["Process"]; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class Kernel-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableScript["Executable Script"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | PropertyListFile["Property List File"]; class LocalFilePermissions DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | UserInitConfigurationFile["User Init Configuration File"]; class LocalFilePermissions DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | PowerShellProfileScript["PowerShell Profile Script"]; class LocalFilePermissions DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; SystemCallFiltering["System Call Filtering"] --> | isolates | Process["Process"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class SystemCallFiltering DefensiveTechniqueNode; class Process ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] --> | restores | UserInitConfigurationFile["User Init Configuration File"]; RestoreFile["Restore File"] -.-> | may-restore | T1546["Event Triggered Execution"] ; class RestoreFile DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | PropertyListFile["Property List File"]; class RestoreFile DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] --> | restores | SystemConfigurationDatabase["System Configuration Database"]; RestoreDatabase["Restore Database"] -.-> | may-restore | T1546["Event Triggered Execution"] ; class RestoreDatabase DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | may-restore | T1546["Event Triggered Execution"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | ConfigurationResource["Configuration Resource"]; class RestoreConfiguration DefensiveTechniqueNode; class ConfigurationResource ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | ShimDatabase["Shim Database"]; class RestoreConfiguration DefensiveTechniqueNode; class ShimDatabase ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] --> | restores | SharedLibraryFile["Shared Library File"]; class RestoreFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ExecutableBinary["Executable Binary"]; class RestoreFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ExecutableScript["Executable Script"]; class RestoreFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | PowerShellProfileScript["PowerShell Profile Script"]; class RestoreFile DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreSoftware["Restore Software"] --> | restores | Shim["Shim"]; RestoreSoftware["Restore Software"] -.-> | may-restore | T1546["Event Triggered Execution"] ; class RestoreSoftware DefensiveTechniqueNode; class Shim ArtifactNode; click RestoreSoftware href "/technique/d3f:RestoreSoftware"; FileAnalysis["File Analysis"] --> | analyzes | PropertyListFile["Property List File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class FileAnalysis DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; class FileAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class FileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.-> | may-detect | T1546["Event Triggered Execution"] ; class UserSessionInitConfigAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; HostReboot["Host Reboot"] --> | terminates | Process["Process"]; HostReboot["Host Reboot"] -.-> | may-evict | T1546["Event Triggered Execution"] ; class HostReboot DefensiveTechniqueNode; class Process ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | PropertyListFile["Property List File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1546["Event Triggered Execution"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | UserInitConfigurationFile["User Init Configuration File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableFile["Executable File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableBinary["Executable Binary"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableScript["Executable Script"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | PowerShellProfileScript["PowerShell Profile Script"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | SharedLibraryFile["Shared Library File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";