Event Triggered Execution

Sub-techniques (18)

ID	Name
ATAGS-T1069.001	Accessibility Features
ATAGS-T1069.002	AppCert DLLs
ATAGS-T1069.003	AppInit DLLs
ATAGS-T1069.004	Application Shimming
ATAGS-T1069.005	Change Default File Association
ATAGS-T1069.006	Component Object Model Hijacking
ATAGS-T1069.007	Emond
ATAGS-T1069.008	Image File Execution Options Injection
ATAGS-T1069.009	Installer Packages
ATAGS-T1069.010	LC_LOAD_DYLIB Addition
ATAGS-T1069.011	Netsh Helper DLL
ATAGS-T1069.012	PowerShell Profile
ATAGS-T1069.013	Python Startup Hooks
ATAGS-T1069.014	Screensaver
ATAGS-T1069.015	Trap
ATAGS-T1069.016	Udev Rules
ATAGS-T1069.017	Unix Shell Configuration Modification
ATAGS-T1069.018	Windows Management Instrumentation Event Subscription

Threat actors may establish persistence by hijacking cloud-native event triggers. Attackers may manipulate Cloud Event Rules (e.g., EventBridge, Azure Event Grid) to trigger malicious serverless functions or containers in response to standard mission events—such as Satellite Contact Finished, Data Delivered. This ensures malicious code executes automatically during normal mission operations.

ID: ATAGS-T1069

Sub-techniques: ATAGS-T1069.001, ATAGS-T1069.002, ATAGS-T1069.003, ATAGS-T1069.004, ATAGS-T1069.005, ATAGS-T1069.006, ATAGS-T1069.007, ATAGS-T1069.008, ATAGS-T1069.009, ATAGS-T1069.010, ATAGS-T1069.011, ATAGS-T1069.012, ATAGS-T1069.013, ATAGS-T1069.014, ATAGS-T1069.015, ATAGS-T1069.016, ATAGS-T1069.017, ATAGS-T1069.018

ⓘ

Tactics: Persistence, Privilege Escalation

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.