T1546.016: Installer Packages
| View on MITRE ATT&CK | T1546.016 |
|---|---|
| Tactic(s) | Persistence, Privilege Escalation |
| Associated CAPEC Patterns | Embedding Scripts within Scripts (CAPEC-19) |
Data from MITRE ATT&CK®:
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS postinstall scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a Launch Daemon) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include preinst, postinst, prerm, postrm scripts and run as root when executed.
For Windows, the Microsoft Installer services uses .msi files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged Prebuild and Postbuild events to run commands before or after a build when installing .msi files.(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
How to detect this technique
MITRE ATT&CK Data Components
File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.