T1547 Boot or Logon Autostart Execution
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.32415 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
| Item | Value |
|---|---|
| ID | T1547 |
| Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
| Tactics | TA0003, TA0004 |
| Platforms | Linux, Windows, macOS |
| Permissions required | Administrator, User, root |
| Version | 1.1 |
| Created | 23 January 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0651 | BoxCaon | BoxCaon established persistence by setting the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load registry key to point to its executable.9 |
| S0567 | Dtrack | Dtrack’s RAT makes a persistent target file with auto execution on the host start.8 |
| S0084 | Mis-Type | Mis-Type has created registry keys for persistence, including HKCU\Software\bkfouerioyou, HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}, and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}.7 |
| S0083 | Misdat | Misdat has created registry keys for persistence, including HKCU\Software\dnimtsoleht\StubPath, HKCU\Software\snimtsOleht\StubPath, HKCU\Software\Backtsaleht\StubPath, HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}, and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}.7 |
| S0653 | xCaon | xCaon has added persistence via the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load which causes the malware to run each time any user logs in.9 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0027 | Driver | Driver Load |
| DS0022 | File | File Creation |
| DS0008 | Kernel | Kernel Module Load |
| DS0011 | Module | Module Load |
| DS0009 | Process | OS API Execution |
| DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. ↩
-
Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. ↩
-
Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. ↩
-
Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. ↩
-
Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. ↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩↩
-
Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. ↩
-
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. ↩↩