Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5]  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

ID: T1547
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, User, root
CAPEC ID: CAPEC-564
Version: 1.1
Created: 23 January 2020
Last Modified: 19 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0651 BoxCaon

BoxCaon established persistence by setting the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load registry key to point to its executable.[6]

S0567 Dtrack

Dtrack’s RAT makes a persistent target file with auto execution on the host start.[7]

S0653 xCaon

xCaon has added persistence via the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load which causes the malware to run each time any user logs in.[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0027 Driver Driver Load
DS0022 File File Creation
File Modification
DS0008 Kernel Kernel Module Load
DS0011 Module Module Load
DS0009 Process OS API Execution
Process Creation
DS0024 Windows Registry Windows Registry Key Creation
Windows Registry Key Modification

Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.[8] Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed.

Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.

Monitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.

References