Esc
Event Triggered Execution - T1546
(ATT&CK® Technique)
Definition
No definition available.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1546["Event Triggered Execution"] --> |executes| Command["Command"]; class T1546 OffensiveTechniqueNode; class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command"; click T1546 href "/offensive-technique/attack/T1546/"; click Command href "/dao/artifact/d3f:Command"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1546["Event Triggered Execution"] --> |produces| Process["Process"]; class T1546 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1546 href "/offensive-technique/attack/T1546/"; click Process href "/dao/artifact/d3f:Process"; T1546["Event Triggered Execution"] --> |creates| Shim["Shim"]; class T1546 OffensiveTechniqueNode; class Shim ArtifactNode; click Shim href "/dao/artifact/d3f:Shim"; click T1546 href "/offensive-technique/attack/T1546/"; click Shim href "/dao/artifact/d3f:Shim"; T1546["Event Triggered Execution"] --> |invokes| CreateProcess["Create Process"]; class T1546 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1546 href "/offensive-technique/attack/T1546/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1546["Event Triggered Execution"] --> |modifies| EventLog["Event Log"]; class T1546 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1546 href "/offensive-technique/attack/T1546/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1546["Event Triggered Execution"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546 OffensiveTechniqueNode; class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; click T1546 href "/offensive-technique/attack/T1546/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; T1546["Event Triggered Execution"] --> |creates| ExecutableFile["Executable File"]; class T1546 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1546["Event Triggered Execution"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1546 href "/offensive-technique/attack/T1546/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1546["Event Triggered Execution"] --> |may-create| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-create| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-modify| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546 OffensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; click T1546 href "/offensive-technique/attack/T1546/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; T1546["Event Triggered Execution"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546 OffensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; click T1546 href "/offensive-technique/attack/T1546/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; T1546["Event Triggered Execution"] --> |modifies| ShimDatabase["Shim Database"]; class T1546 OffensiveTechniqueNode; class ShimDatabase ArtifactNode; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; DecoyFile["Decoy File"] --> | spoofs | PowerShellProfileScript["PowerShell Profile Script"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1546["Event Triggered Execution"] ; class DecoyFile DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | UserInitConfigurationFile["User Init Configuration File"]; class DecoyFile DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | PropertyListFile["Property List File"]; class DecoyFile DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableScript["Executable Script"]; class DecoyFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class DynamicAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ConnectionAttemptAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SharedLibraryFile["Shared Library File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | PropertyListFile["Property List File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableScript["Executable Script"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; ProcessTermination["Process Termination"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] --> | suspends | Process["Process"]; ProcessSuspension["Process Suspension"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class ProcessSuspension DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] --> | terminates | Process["Process"]; HostShutdown["Host Shutdown"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class HostShutdown DefensiveTechniqueNode; class Process ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; FileRemoval["File Removal"] --> | deletes | ExecutableScript["Executable Script"]; FileRemoval["File Removal"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class FileRemoval DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | ExecutableBinary["Executable Binary"]; class FileRemoval DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | PowerShellProfileScript["PowerShell Profile Script"]; class FileRemoval DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | SharedLibraryFile["Shared Library File"]; class FileRemoval DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | UserInitConfigurationFile["User Init Configuration File"]; class FileRemoval DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | PropertyListFile["Property List File"]; class FileRemoval DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] --> | deletes | ExecutableFile["Executable File"]; class FileRemoval DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | PowerShellProfileScript["PowerShell Profile Script"]; class FileEncryption DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | UserInitConfigurationFile["User Init Configuration File"]; class FileEncryption DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | PropertyListFile["Property List File"]; class FileEncryption DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ExecutableScript["Executable Script"]; class FileEncryption DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | UserInitConfigurationFile["User Init Configuration File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class LocalFilePermissions DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | PropertyListFile["Property List File"]; class LocalFilePermissions DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | PowerShellProfileScript["PowerShell Profile Script"]; class LocalFilePermissions DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableScript["Executable Script"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemConfigurationPermissions["System Configuration Permissions"] --> | restricts | SystemConfigurationDatabase["System Configuration Database"]; SystemConfigurationPermissions["System Configuration Permissions"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class SystemConfigurationPermissions DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; SoftwareUpdate["Software Update"] --> | updates | Shim["Shim"]; SoftwareUpdate["Software Update"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class SoftwareUpdate DefensiveTechniqueNode; class Shim ArtifactNode; click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1546["Event Triggered Execution"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreDatabase["Restore Database"] --> | restores | SystemConfigurationDatabase["System Configuration Database"]; RestoreDatabase["Restore Database"] -.-> | May Restore | T1546["Event Triggered Execution"] ; class RestoreDatabase DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreConfiguration["Restore Configuration"] --> | restores | ShimDatabase["Shim Database"]; class RestoreConfiguration DefensiveTechniqueNode; class ShimDatabase ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | ConfigurationResource["Configuration Resource"]; class RestoreConfiguration DefensiveTechniqueNode; class ConfigurationResource ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; RestoreFile["Restore File"] -.-> | May Restore | T1546["Event Triggered Execution"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | SharedLibraryFile["Shared Library File"]; class RestoreFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | UserInitConfigurationFile["User Init Configuration File"]; class RestoreFile DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | PropertyListFile["Property List File"]; class RestoreFile DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ExecutableBinary["Executable Binary"]; class RestoreFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | PowerShellProfileScript["PowerShell Profile Script"]; class RestoreFile DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ExecutableScript["Executable Script"]; class RestoreFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreSoftware["Restore Software"] --> | restores | Shim["Shim"]; RestoreSoftware["Restore Software"] -.-> | May Restore | T1546["Event Triggered Execution"] ; class RestoreSoftware DefensiveTechniqueNode; class Shim ArtifactNode; click RestoreSoftware href "/technique/d3f:RestoreSoftware"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class FileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; class FileAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | PropertyListFile["Property List File"]; class FileAnalysis DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class UserSessionInitConfigAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; HostReboot["Host Reboot"] --> | terminates | Process["Process"]; HostReboot["Host Reboot"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class HostReboot DefensiveTechniqueNode; class Process ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | Process["Process"]; class MandatoryAccessControl DefensiveTechniqueNode; class Process ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";