事件触发执行

Sub-techniques (4)

ID	Name
T1546.001	系统事件订阅伪装
T1546.002	云服务触发器寄生
T1546.003	动态注册表映像劫持
T1546.004	进程生命周期劫持

事件触发执行指攻击者通过篡改系统或应用事件响应机制，在特定条件满足时自动执行恶意代码的技术，常用于实现持久化驻留或权限提升。该技术利用操作系统内置的自动化任务调度框架（如Windows计划任务、Unix cron作业）或应用程序事件处理接口，将恶意行为与合法系统活动深度绑定。防御方通常通过监控注册表关键路径变更、分析进程创建上下文异常、校验系统组件完整性等手段进行检测，并采用最小权限原则限制事件触发组件的执行权限。

为规避传统检测机制对固定注册表项、静态文件特征或异常进程链的监控，攻击者发展出深度寄生型事件触发技术，通过动态配置注入、云原生服务滥用、执行环境混淆等手法，将恶意触发逻辑无缝嵌入系统运维流程，实现"事件即服务"（Event-as-a-Service）的新型攻击范式。

当前事件触发执行的匿迹技术演进呈现三大共性特征：首先，攻击面向云原生架构迁移，利用云服务事件总线的复杂性与规模性稀释异常特征；其次，执行载体与系统核心组件深度绑定，通过劫持高频系统进程或服务实现"阳光化"隐蔽；最后，触发机制动态化演进，采用基于环境感知的智能决策模块动态调整激活条件与执行参数。具体而言，系统事件订阅伪装技术通过复用WMI等管理框架，使恶意代码获得与系统管理工具同等信任级别；云服务触发器寄生利用云平台内部通信加密与资源自治特性，构建完全脱离传统网络监控的攻击通道；动态注册表劫持与进程生命周期控制则通过持续优化触发精准度与执行隐蔽性，实现"无新增文件、无异常进程、非常规时段激活"的深度隐匿效果。

ID: T1546

Sub-techniques: T1546.001, T1546.002, T1546.003, T1546.004

ⓘ

Tactics: 权限提升, 入侵维持

ⓘ

Platforms: IaaS, Linux, Office Suite, SaaS, Windows, macOS

Version: 1.4

Created: 22 January 2020

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	✅
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过完全复用系统/云平台原生事件处理框架，使恶意触发配置在数据结构、API调用序列等维度与合法配置无异。例如云服务触发器寄生技术严格遵循云平台事件格式规范，使得恶意函数绑定关系在控制台审计日志中呈现为正常资源配置操作。

行为透明

利用零日漏洞或未公开的系统机制（如特定ETW提供程序）实现事件订阅模块的隐形加载，使得攻击链关键环节逃避现有检测工具的监控。例如进程生命周期劫持技术可能利用未文档化的内核回调接口，在防御方无感知的情况下建立事件监控通道。

数据遮蔽

通过加密存储触发配置（如使用Windows DPAPI保护注册表键值）、混淆云函数代码逻辑（采用多层动态解密）、以及利用内存驻留技术避免磁盘落盘，有效隐藏攻击指纹。云服务场景下更可借助平台提供的密钥管理服务实现端到端加密。

时空释痕

动态调整触发频率与激活条件，将恶意代码执行分散在系统正常运维周期内。例如仅在每月补丁日结合系统更新事件触发，或根据云服务负载峰值动态调整函数执行节奏，使得攻击行为完全融入目标环境业务周期。

Procedure Examples

ID	Name	Description
C0035	KV Botnet Activity	KV Botnet Activity involves managing events on victim systems via `libevent` to execute a callback function when any running process contains the following references in their path without also having a reference to `bioset`: busybox, wget, curl, tftp, telnetd, or lua. If the `bioset` string is not found, the related process is terminated.^[1]
S1091	Pacu	Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups.^[2]

Mitigations

ID	Mitigation	Description
M1026	Privileged Account Management	Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
M1051	Update Software	Perform regular software updates to mitigate exploitation risk.

Detection

ID	Data Source	Data Component	Detects
DS0025	Cloud Service	Cloud Service Modification	Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events.
DS0017	Command	Command Execution	Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0022	File	File Creation	Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
		File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.
		File Modification	Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0011	Module	Module Load	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.
DS0009	Process	Process Creation	Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
DS0005	WMI	WMI Creation	Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

References

Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.

Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.