Technique on mitre.org

T1547.014: Active Setup

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level.

Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components</code> and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.


Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of StubPath addition and modification for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ (ID 4657 in Microsoft Windows Security Auditing, IDs 12 and 13 in Sysmon)

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor Registry key additions to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components</code>. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.`

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor Registry key modifications to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components</code>. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.
DS0024	Windows Registry: Windows Registry Key Creation	Monitor Registry key additions to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components</code>. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.`
DS0009	Process: Process Creation	Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor Registry key modifications to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components</code>. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.`