Description
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
Platforms
Sub-Techniques (14)
Registry Run Keys / Startup Folder
T1547.002Authentication Package
T1547.003Time Providers
T1547.004Winlogon Helper DLL
T1547.005Security Support Provider
T1547.006Kernel Modules and Extensions
T1547.007Re-opened Applications
T1547.008LSASS Driver
T1547.009Shortcut Modification
T1547.010Port Monitors
T1547.012Print Processors
T1547.013XDG Autostart Entries
T1547.014Active Setup
T1547.015Login Items
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has modified the Registry to maintain persistence.(Citation: Mandiant APT42-charms) |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0653 | xCaon | Malware | [xCaon](https://attack.mitre.org/software/S0653) has added persistence via the Registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Curr... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567)’s RAT makes a persistent target file with auto execution on the host start.(Citation: Securelist Dtr... |
| S0084 | Mis-Type | Malware | [Mis-Type](https://attack.mitre.org/software/S0084) has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\... |
| S0651 | BoxCaon | Malware | [BoxCaon](https://attack.mitre.org/software/S0651) established persistence by setting the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Curren... |
| S0083 | Misdat | Malware | [Misdat](https://attack.mitre.org/software/S0083) has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Sof... |
References
- Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.
- Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.
- Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.
- Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
- Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Frequently Asked Questions
What is T1547 (Boot or Logon Autostart Execution)?
T1547 is a MITRE ATT&CK technique named 'Boot or Logon Autostart Execution'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating syste...
How can T1547 be detected?
Detection of T1547 (Boot or Logon Autostart Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1547?
Known threat groups using T1547 include: APT42.