Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
| ID | Name | Description |
|---|---|---|
| S0651 | BoxCaon |
BoxCaon established persistence by setting the |
| S0567 | Dtrack |
Dtrack’s RAT makes a persistent target file with auto execution on the host start.[7] |
| S0084 | Mis-Type |
Mis-Type has created registry keys for persistence, including |
| S0083 | Misdat |
Misdat has created registry keys for persistence, including |
| S0653 | xCaon |
xCaon has added persistence via the Registry key |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| DS0027 | Driver | Driver Load |
Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| DS0022 | File | File Creation |
Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| File Modification |
Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
||
| DS0008 | Kernel | Kernel Module Load |
Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| DS0011 | Module | Module Load |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. |
| DS0009 | Process | OS API Execution |
Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
| Process Creation |
Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. |
||
| DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. |
| Windows Registry Key Modification |
Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. |