T1547: Boot or Logon Autostart Execution
| View on MITRE ATT&CK | T1547 |
|---|---|
| Tactic(s) | Privilege Escalation, Persistence |
| Associated CAPEC Patterns | Run Software at Logon (CAPEC-564) |
Data from MITRE ATT&CK®:
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
How to detect this technique
MITRE ATT&CK Data Components
Windows Registry Key Creation (Windows Registry)
Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Driver Load (Driver)
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Kernel Module Load (Kernel)
An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system callsModule Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)OS API Execution (Process)
Operating system function/method calls executed by a processControl Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.