Technique on mitre.org

T1547: Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-666: Universal_Windows_Platform_Apps_Modify: A key is set for a UWP application

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	DS0009	Data source and component	Process: Process Creation	Description	Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

ID	DS0027	Data source and component	Driver: Driver Load	Description	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	DS0008	Data source and component	Kernel: Kernel Module Load	Description	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0011	Module: Module Load	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0022	File: File Creation	Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.
DS0024	Windows Registry: Windows Registry Key Creation	Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.
DS0022	File: File Modification	Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0009	Process: Process Creation	Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
DS0027	Driver: Driver Load	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0008	Kernel: Kernel Module Load	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.