Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Privilege Escalation/ T1546

T1546Event Triggered Execution

T1546 — Event Triggered Execution is a MITRE ATT&CK technique in the Privilege Escalation tactic. Clankerusecase tracks 40 detection use cases covering it and 30 threat-intel articles citing it.

Privilege EscalationPersistence
View on the matrix → Filter Detection Library MITRE official spec ↗
40Use cases
30Articles
18Sub-techniques
2Tactics

Sub-techniques (18)

T1546.008 · Accessibility FeaturesT1546.009 · AppCert DLLsT1546.010 · AppInit DLLsT1546.011 · Application ShimmingT1546.001 · Change Default File AssociationT1546.015 · Component Object Model HijackingT1546.014 · EmondT1546.012 · Image File Execution Options InjectionT1546.016 · Installer PackagesT1546.006 · LC_LOAD_DYLIB AdditionT1546.007 · Netsh Helper DLLT1546.013 · PowerShell ProfileT1546.018 · Python Startup HooksT1546.002 · ScreensaverT1546.005 · TrapT1546.017 · Udev RulesT1546.004 · Unix Shell Configuration ModificationT1546.003 · Windows Management Instrumentation Event Subscription

Use cases covering this technique (40)

[WEEKLY] Package install lifecycle hook spawns interpreter that reads developer credential stores Internal install · alerting DSPDDCS Windows AD AdminSDHolder ACL Modified ESCU actions · alerting P Windows Compatibility Telemetry Suspicious Child Process ESCU actions · alerting P Windows Compatibility Telemetry Tampering Through Registry ESCU actions · alerting P [LLM] Shai-Hulud npm worm — shai-hulud-workflow.yml dropped into .github/workflows/ Bespoke install · alerting DSΣPDDCS [LLM] PeopleSoft XMLDecoder persistence — XML file changes under envmetadata/data/environment Bespoke install · alerting DSΣPDDCS [LLM] Editor/AI tool auto-execute config file dropped into project tree by package manager or git Bespoke delivery · hunting DSΣPDDCS [LLM] VS Code/Cursor/Claude/Gemini spawns interpreter referencing folderOpen or SessionStart hook script Bespoke exploit · alerting DSΣPDDCS [LLM] Malicious AI coding-agent hook configs written to repo (.claude/.gemini/.cursor/.vscode) Bespoke install · alerting DSΣPDDCS [LLM] node.exe spawned by Code/Cursor/Claude/Gemini executing .github/setup.js Bespoke exploit · alerting DSΣPDDCS [LLM] Miasma loader artifact written to Python site-packages: .pth, _index.js, .abi3.so Bespoke install · alerting DSΣPDDCS [LLM] Hades persistence: *-setup.pth file written into Python site-packages Bespoke install · alerting DSΣPDDCS [LLM] Kitty cat.py Python Backdoor File Drop / Execution (Nx Console Compromise) Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud worm GitHub Action workflow file dropped under .github/workflows Bespoke install · alerting DSΣPDDCS [LLM] Compromised laravel-lang Composer package: helpers.php in vendor tree Bespoke delivery · hunting DSΣPDDCS [LLM] Postinstall script execution from compromised @opensearch-project/opensearch package Bespoke install · hunting DSΣPDDCS [LLM] Mini Shai-Hulud persistence hooks written into .vscode/ and .claude/ configs Bespoke install · hunting DSΣPDDCS [LLM] Mini Shai-Hulud Claude Code SessionStart hook injection via npm install Bespoke install · alerting DSΣPDDCS [LLM] VS Code tasks.json folderOpen persistence written by npm install chain Bespoke install · hunting DSΣPDDCS [LLM] Mini Shai-Hulud Linux daemon persistence: kitty/cat.py and systemd user service Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud router_init.js dropped at npm package root in node_modules Bespoke install · alerting DSΣPDDCS [LLM] Bun spawned with tanstack_runner.js via npm prepare lifecycle (Mini Shai-Hulud) Bespoke install · alerting DSΣPDD [LLM] Mini Shai-Hulud persistence to ~/.claude/hooks and .vscode/tasks.json by node/npm/bun Bespoke install · alerting DSΣPDD [LLM] Shai-Hulud AI coding-agent persistence: .claude/settings.json + .vscode/tasks.json drops Bespoke install · alerting DSPDD [LLM] Malicious elementary.pth dropped in Python site-packages Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud post-compromise persistence artifacts in .claude/, .vscode/, .github/workflows/ Bespoke actions · alerting DSΣPDD [LLM] TeamPCP sysmon.py systemd-user persistence on developer host Bespoke install · alerting DSΣPDD [LLM] Force-install of IDE extension via cmd.exe with --install-extension flag spawned by node host Bespoke install · alerting DSΣPDD [LLM] litellm_init.pth Python autoload persistence drop Bespoke install · alerting DSΣPDDCS [LLM] Malicious litellm_init.pth dropped to site-packages by pip (litellm==1.82.8 install artifact) Bespoke install · alerting DSΣPDDCS [LLM] npm postinstall hook spawning node init.js or child.js (React Native attack pattern) Bespoke install · alerting DSΣPDDCS [LLM] Secondary payload install: 'npm install -g openclaw' postinstall hook execution Bespoke install · alerting DSΣPDDCS [LLM] npm/yarn/pnpm/bun lifecycle hook spawning shell or network LOLBin Bespoke install · hunting DSΣPDDCS [LLM] Sha1-Hulud npm Worm — Drop of setup_bun.js / bun_environment.js / discussion.yaml by node or shell Bespoke install · hunting DSΣPDD [LLM] Bun/Node executing the Sha1-Hulud worm payload (setup_bun.js / bun_environment.js) Bespoke install · alerting DSΣPDDCS [LLM] Sha1-Hulud self-hosted GitHub Actions runner deployed under ~/.dev-env (SHA1HULUD) Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud bundle.js dropped on disk (SHA256 + filename hunt) Bespoke install · hunting DSΣPDD [LLM] GhostAction malicious workflow file added with curl POST to Plesk infrastructure Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud persistence artifact: shai-hulud-workflow.yml file dropped on disk Bespoke install · alerting DSΣPDDCS [LLM] cups-browsed writing new PPD or config under /etc/cups or /var/cache/cups Bespoke install · hunting DSΣPDDCS

Articles citing this technique (30)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
high Nx Console VS Code Extension Compromised art-146
high What MDM can't protect on developer machines (and what to do about it) art-186
crit Laravel Lang Supply Chain Advisory art-211
crit [GHSA / CRITICAL] GHSA-27f5-xjrr-q9ff: Malware in @opensearch-project/opensearch art-263
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high You Patched LiteLLM, But Do You Know Your AI Blast Radius? art-414
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
high Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised art-432
high How “Clinejection” Turned an AI Bot into a Supply Chain Attack art-521
high The Holiday Whisper: Shai-Hulud 3.0 art-635
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
high GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows art-785
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high Zero-day RCE vulnerability found in CUPS - Common UNIX Printing System art-1134