title: Event Triggered Execution (T1546)
id: df00tech-t1546
status: experimental
description: "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries abuse these mechanisms — including WMI event subscriptions, screensaver hijacking, PowerShell profile modification, AppInit DLLs, IFEO injection, COM hijacking, accessibility feature replacement, Unix shell configuration modification, and application shimming — to execute malicious code automatically when specific system events occur. Since the execution can be proxied by an account with higher permissions such as SYSTEM or service accounts, adversaries may escalate privileges through these triggered execution mechanisms."
references:
  - https://attack.mitre.org/techniques/T1546/
  - https://df00tech.com/detections/T1546
author: df00tech
date: 2026/03/15
tags:
  - attack.t1546
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installation routines legitimately modifying AppInit_DLLs or registering COM objects — especially third-party security tools (AV/EDR agents), accessibility software, or application frameworks"
  - "Developer tools (Visual Studio, WinDbg) setting IFEO Debugger values for debugging purposes"
  - "Administrative scripts creating WMI subscriptions for legitimate monitoring (SCCM, WMI-based health checks, vendor management tools)"
  - sdbinst.exe invocations during application compatibility fixes from IT teams applying vendor-supplied shim databases
  - Group Policy or MDM pushing screensaver configuration changes to enforce screen lock policies
  - PowerShell profile creation by developers customizing their shell environment via VS Code or PowerShell ISE
level: high