MITRE ATT&CK T1547 Boot or Logon Autostart Execution

LAST UPDATED ON FEBRUARY 27, 2025

Adversaries are increasingly leveraging system settings to automatically execute programs during system startup or user logon, enabling persistent control or privilege escalation on compromised systems. This approach often exploits operating system mechanisms, such as special directories or configuration repositories like the Windows Registry.

Notably, the Red Report 2025, which analyzed over 1,000,000 pieces of malware, found this technique to have a 15% prevalence. Once again, it has ranked among the top ten most frequently used methods, marking its second consecutive appearance in the top ten. This underscores its continued prevalence and effectiveness.

In this blog, we are going to explain each and every sub-technique of T1547 Boot or Logon Autostart Execution technique of MITRE ATT&CK Framework.

The Red Report 2025 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries GET THE REPORT

What Is Boot Logon and Auto Start Execution?

Boot Logon and Auto Start Execution are integral components of modern computing systems, functioning to streamline and manage the initiation of processes and applications during the startup phase of a computer and upon user login.

Boot Logon

Boot Logon encompasses the series of actions and procedures triggered when a computer is powered on and begins loading the operating system. This phase is crucial for setting up the computer's environment, involving the loading of 

• the system's basic input/output system (BIOS),  
• Unified Extensible Firmware Interface (UEFI), 
• the initialization of hardware components, and 
• the launching of essential operating system services. 

The primary objective of Boot Logon is to ensure that the foundational elements of the system are correctly loaded and configured, providing a stable and operational platform for the user and any subsequent processes.

Auto Start Execution

Auto Start Execution, on the other hand, refers to the automatic launching of certain programs, scripts, or services either when a user logs into the system or under specific pre-set conditions. This feature enhances user convenience and system efficiency by ensuring that frequently used applications or essential system services, such as security software and system monitoring tools, are readily available without manual intervention. Auto Start Execution can be configured through various mechanisms within the operating system, including but not limited to specific registry keys in Windows environments, startup folders, or the creation of scheduled tasks.

Together, Boot Logon and Auto Start Execution form a critical part of the user experience and system functionality, enabling a seamless transition from system startup to operational readiness by automating the initiation of key processes and applications. While these features are designed with efficiency and user convenience in mind, they also demand careful management and oversight to prevent misuse, particularly in the context of unauthorized or malicious software seeking to exploit these mechanisms for persistence or unauthorized activities.

There are 14 sub-techniques under the Boot or Logon Autostart Execution technique in ATT&CK v16.

Each of these sub-techniques will be explained in the following sections.

#9.1. T1547.001 Registry Run Keys / Startup Folder

Registry Run Keys and the Startup Folder in Windows are designated areas where programs are configured to launch automatically at system boot or user login. Located within the Windows Registry and the file system, respectively, these features are designed for convenience, allowing applications and scripts to initialize immediately upon startup and enhancing user experience by providing immediate access to frequently used programs and services.

Adversary Use of Registry Run Keys / Startup Folder

Adversaries target Windows Run keys and the Startup folder for persistence, as these Registry areas control automatic application launches at login or boot. By manipulating them, malicious software can be consistently executed, allowing the adversary to maintain a presence on a compromised system and exploit mechanisms for legitimate auto-start processes.

1. Exploiting Registry Run Keys for Persistence

By adding entries to Run Keys, malicious actors can execute their payloads, ensuring their programs activate during user logins and inherit the user's permissions for enhanced access.

The primary run keys targeted are as follows:

In addition to these, adversaries may exploit legacy entries, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx, to load additional components, including DLLs, during the logon process. While this key is not default on newer Windows systems, its presence in certain configurations provides an avenue for stealthy persistence.

Real-world ransomware campaigns illustrate how threat actors weaponize these registry keys. For example, the CISA report that was released in February 2024 detailed Phobos ransomware employing commands like Exec.exe or bcdedit[.]exe to manipulate system settings and maintain persistence [1]. Phobos has also been observed utilizing Windows Startup folders and Run Registry Keys such as C:/Users/Admin/AppData/Local/directory to ensure its payload is repeatedly launched.

Similarly, in October 2024, a newer Medusalocker ransomware variant was identified, demonstrating how attackers customize Run Keys to serve their malicious purposes. 

Indicators of Compromise (IoCs) associated with this variant include entries such as [2]:

These instances underscore the deliberate intent of threat actors to use Run Keys as a mechanism to embed their malicious payloads, ensure repeated execution, and maximize their control over compromised systems. 

The misuse of such entries is a stark reminder of how attackers manipulate system-native features to bypass detection, solidify their presence, and further their objectives, whether it be data encryption, exfiltration, or system disruption.

2. Startup Folder Technique as a Vector for Persistence

Adversaries frequently exploit the Windows Startup Folder as a method to achieve persistence, embedding their malicious executables in directories automatically executed during user logon. This tactic enables attackers to ensure their programs are launched without user interaction, granting them reliable access to the compromised system. The Startup Folder is a particularly effective persistence vector because Windows inherently checks these locations during the logon process, making it a seamless and low-profile attack mechanism.

Windows provides two primary types of Startup Folders, each serving different scopes:

By planting malicious files in these folders, attackers can ensure the automatic execution of their payloads every time the affected user logs in. This not only extends the lifespan of their malware within the environment but also enhances their ability to launch further attacks under the compromised user's permissions.

A real-world example of this tactic was revealed in November 2024, involving the Snake Keylogger* malware [3]. This sophisticated threat was found dropping its payloads in the user-specific Startup directory located at:

By leveraging such techniques, attackers can bypass certain detection mechanisms and maintain control over compromised systems. 

The persistent use of Startup Folders as a malware vector underscores the necessity of securing these directories and implementing robust monitoring to detect unauthorized modification.

3. Manipulating Registry for Startup and Service Control

To further establish their presence, adversaries may modify additional registry keys that influence startup folder items or control the automatic startup of services during system boot. They commonly alter entries within both the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE branches, impacting user shell folders and service startup configurations. 

This manipulation involves keys such as:

For example, on another malware analysis done in December 2024 [4], a malware persistence technique leveraging the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute the file 7D3ED97FB83B796922796[.]exe located in the AppData\Roaming directory at every user logon.

By using this registry key, the malware ensures persistence specific to the current user account, while the inconspicuous location and randomized folder/file names help evade detection.

4. Boot Execution as an Infiltration Method

The adversaries may also target the BootExecute value in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager. By default, this key is set for system integrity checks but can be exploited to run additional malicious programs or processes at system boot, ensuring their activation before many security measures are in place.

In summary, through these various methods, adversaries aim to install and operate malware, including remote access tools, in a manner that survives system reboots and evades detection. Often, they employ masquerading techniques, making their registry entries appear legitimate to blend in with authentic system processes. This strategic manipulation of autostart execution mechanisms underscores the importance of vigilant monitoring and robust security practices in protecting against persistent threats.

#9.2. T1547.002 Authentication Package

Authentication packages in Windows are crucial for the operating system's management of logon processes and security protocols. These packages, typically in the form of Dynamic Link Libraries (DLLs), are loaded by the Local Security Authority (LSA) process at system startup. Their primary role is to facilitate various logon processes and implement security protocols, making them an integral component of the authentication system in Windows.

Adversary Use of Authentication Package

Adversaries often exploit Windows systems by manipulating the Registry to gain persistent and elevated access. A common tactic involves targeting the HKLM\SYSTEM\CurrentControlSet\Control\Lsa key, which is critical for authentication processes. 

To achieve this, attackers might execute a command like the following:

This command adds their malicious DLL (evil.dll) to the list of authentication packages. When the system boots, the LSA process, which runs with high privileges, loads this DLL. Consequently, the malicious code gains elevated privileges and executes seamlessly within the system context. By embedding their code in such a critical system process, adversaries ensure that their payload remains active and undetected, executing with every system startup.

For example, according to a malware sandbox analysis that was done in June 2024 [5], we are seeing a persistence mechanism tied to the Windows Local Security Authority system. 

The malware manipulates the registry paths System\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv and System\CurrentControlSet\Control\Lsa, as indicated by the instructions loading these strings into the rdx register. These registry keys play a significant role in configuring LSA extensions and authentication packages, both of which are essential for the system's logon and security processes. By modifying these keys, the malware ensures that its malicious code is loaded by the highly privileged LSA process (lsass.exe) during every system startup, achieving persistence.

The "Hidden" attribute in the metadata suggests that the malware employs obfuscation techniques to conceal these registry changes from standard inspection tools, increasing its stealth. The lea rdx, qword ptr instructions prepare the registry key addresses for further operations, such as querying, modifying, or injecting malicious DLLs. This behavior aligns with common tactics where adversaries use the Lsa or LsaExtensionConfig keys to load their payloads, allowing execution within the trusted and elevated context of the LSA process. 

It makes detection and remediation particularly challenging, as tampering with these registry keys or the lsass.exe process can destabilize the system. Ultimately, this persistence method ensures that the malware remains active across reboots, embedded in a critical system process that provides both elevated privileges and stealth.

#9.3. T1547.003 Time Providers

In Windows, the W32Time service ensures time synchronization within and across domains. Time providers within this service, implemented as DLLs, fetch and distribute time stamps from various sources. They are registered in the Windows Registry, making them attractive targets for adversaries who can replace legitimate DLLs with malicious ones to exploit this crucial synchronization mechanism for nefarious purposes.

Adversary Use of Time Providers

Adversaries aiming to maintain persistence on a Windows system may target the W32Time service, a critical component for time synchronization in network operations. They achieve this by manipulating a specific registry key:

By obtaining administrative privileges, attackers can alter this registry key to include a malicious DLL. This is typically done using the reg add command. For instance, they might add a new subkey to register their malicious DLL as a time provider, using a command like:

This method is covert and effective, embedding the malware within an essential system service. When the system boots up or the W32Time service is restarted, the service control manager loads the registered time providers, including the malicious DLL. This DLL, running under the Local Service account, possesses sufficient privileges to carry out various malicious activities, exploiting the critical role of the time synchronization service in network operations.

To mitigate the risk of adversaries exploiting the W32Time service in Windows systems, a combination of restrictive measures is essential. Implementing Group Policy to restrict file and directory permissions can prevent unauthorized modifications to W32Time DLLs, blocking the insertion of malicious code. Simultaneously, restricting registry permissions through Group Policy is crucial for safeguarding W32Time registry settings against unauthorized changes.

#9.4. T1547.004 Winlogon Helper DLL

Winlogon Helper DLLs extend the functionality of the Windows Logon process, executing code during user sessions. Integral to system operations, these DLLs are loaded by Winlogon, which manages user logins, security, and interface. Due to their elevated privileges and critical role in system processes, adversaries frequently exploit these DLLs to stealthily execute malicious code, gaining persistent, high-level access to compromised systems.

Adversary Use of Winlogon Helper DLL

By strategically modifying specific registry entries, adversaries can manipulate Winlogon to load and execute malicious DLLs and executables during login events. 

They typically focus on keys like the following, which are pivotal for Winlogon's helper functionalities.

Common tactics include 

• altering the Winlogon\Shell key to replace the default system shell with a malicious executable,

• modifying Winlogon\Userinit to change the standard userinit.exe to a custom executable, and 
• adding new notification package DLLs through Winlogon\Notify. 

These changes cause the malicious files to execute under the context of the logged-in user or the Local System account, providing the adversaries with a reliable method for maintaining access. 

For instance, observed in May 2024, the KamiKakaBot malware was observed employing the Winlogon Helper DLL technique to establish persistence on compromised systems [6]. According to security researchers, KamiKakaBot modifies specific registry entries to load malicious DLLs during user logon, ensuring its code executes with elevated privileges each time the user logs in.

This command modifies the Shell value in the Windows Registry under the path HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. By default, the Shell value is set to explorer.exe, which launches the standard Windows desktop environment upon user login. However, the modified value introduces a second instance of explorer.exe alongside malicious parameters.

The command includes /e,/root,%Pyps%, which directs Windows Explorer to open a specific root directory, likely one containing hidden or malicious files specified by the %Pyps% environment variable. It also executes a PowerShell command using the Start-Process function, leveraging additional environment variables like $env:Msbd and $env:Temprd. These variables likely reference malicious payloads or scripts. The use of parameters such as -nop (no profile) and -w h (hidden window) ensures the PowerShell process runs stealthily, avoiding detection by users.

This modification enables the attacker to execute arbitrary commands or payloads during the login process, effectively maintaining persistence while masking malicious activity behind a legitimate-looking desktop environment.

Additionally, another sandbox analysis report has identified malware samples that attempt to modify the Winlogon Helper DLL registry key to achieve persistence. For instance, a sample analyzed in May 2024 (Mandela.exe) [7], exhibited behavior consistent with this technique, indicating that adversaries continue to leverage this method to maintain access to compromised systems.

#9.5. T1547.005 Security Support Provider

Security Support Providers (SSPs) in Windows are dynamic libraries that provide authentication and security services, typically loaded into the Local Security Authority (LSA) process. They handle sensitive tasks like password authentication. Adversaries target SSPs to load malicious DLLs, exploiting their integral role and privileges for persistence and access to sensitive data, such as plaintext and encrypted passwords, often leading to privilege escalation.

Adversary Use of Security Support Provider

Adversaries frequently target Windows Security Support Providers (SSPs) to gain persistent access and escalate privileges. By injecting malicious DLLs into the LSA process, they exploit SSPs' central role in authentication. This often involves modifying registry keys like the following to control SSP loading at startup. 

For instance, using the following command, they can add a malicious SSP. 

Tools like PowerSploit or Mimikatz [8] can simplify this process, offering functionalities like Install-SSP and Invoke-Mimikatz for installing SSPs and logging authentication events. Additionally, frameworks like Empire [9] can enumerate existing SSPs, providing adversaries with a comprehensive toolkit for manipulating these critical components. 

For instance, as disclosed by CISA, the North Korean Trojan HOPLIGHT utilized a technique involving the manipulation of SSPs by targeting the LSASS in Windows [10]. HOPLIGHT specifically modified the Security Packages registry key within SYSTEM\CurrentControlSet\Control\Lsa to allow the Trojan to inject its malicious code into the authentication process handled by LSASS. By doing so, HOPLIGHT gained the ability to intercept and manipulate sensitive security data, such as passwords, and potentially escalated its privileges within the system. 

This sophisticated approach not only facilitated persistent access to the compromised system but also significantly compromised its security integrity, thereby demonstrating the advanced capabilities of state-sponsored cyber threats.

#9.6. T1547.006 Kernel Modules and Extensions

Kernel modules in Linux (Loadable Kernel Modules, or LKMs) and kernel extensions in macOS (kexts) are components used to extend the core functionality of the system's kernel without needing to reboot. These modules and extensions can dynamically add capabilities to the kernel, allowing for hardware support, file system extensions, and other low-level operations directly within the kernel's domain.

Adversary Use of Kernel Modules and Extensions

Adversaries may exploit kernel modules and extensions to achieve persistence and privilege escalation on systems by modifying the kernel to execute programs on system boot. This approach targets LKMs in Linux and kexts in macOS, both of which are used to extend kernel functionality without rebooting the system.

1. Exploiting Loadable Kernel Modules (LKMs) in Linux

To understand the potential dangers of kernel-level exploitation, we consider a scenario where an adversary has already gained access to a Linux system and escalated privileges to root, a critical prerequisite for loading kernel modules. With root access, the adversary can write a malicious Loadable Kernel Module (LKM) in C, specifically designed to perform nefarious tasks such as hiding files and processes, establishing backdoors, or granting unauthorized root access. To ensure seamless integration with the system, the malicious module is compiled using Linux kernel headers to maintain compatibility with the running kernel version.

A particularly sophisticated example of this type of attack is the Snapekit rootkit, identified in October 2024 [11]. Snapekit exemplifies the potential severity of kernel-level threats, leveraging advanced techniques to infiltrate Linux systems with exceptional stealth. Delivered via a specially crafted dropper, it strategically unpacks the snapekit.ko* module into the /lib/modules/ directory, ensuring its kernel-level insertion is both effective and covert.

What makes Snapekit especially dangerous is its use of advanced obfuscation methods, such as spoofing process names—masquerading as legitimate system processes like kworker—and exploiting Linux capabilities to escalate privileges further.

The rootkit's core objective is comprehensive system obfuscation, effectively concealing files, processes, and network activities from monitoring tools. This level of stealth makes Snapekit extremely difficult to detect, enabling persistent unauthorized access and prolonged exploitation of compromised systems.

2. Exploiting Kernel Extensions (kexts) in macOS

For this technique, adversaries first develop a malicious kernel extension (kext) for macOS, typically written in C or C++. This kext is designed to carry out malicious actions, such as establishing backdoors, hiding files, or intercepting user activities. They compile the kext using Xcode, Apple's integrated development environment, with a command like:

This command compiles the kext against macOS kernel headers, ensuring compatibility with the targeted macOS version.

Next, to bypass macOS's security measures, adversaries must address the signing of the kext. Ideally, they use a developer ID certificate granted by Apple, but this is often not feasible for malicious activities. Therefore, they might target systems with System Integrity Protection (SIP) disabled, allowing unsigned kexts to be loaded. Alternatively, they may use social engineering or other methods to trick users into disabling SIP.

With SIP disabled, the adversary then loads the kext into the system using the kextload command:

Once the kext is loaded, it operates with kernel-level privileges, providing the adversary with significant control over the system. This can include executing code with elevated privileges, modifying system processes, or remaining hidden from traditional security tools.

#9.7. T1547.007 Re-opened Applications

Re-opened applications in macOS automatically start upon user login, a feature designed for user convenience. This is facilitated through a property list file, which records applications running during the last logout. Adversaries exploit this by inserting malicious applications into this list, ensuring their automatic execution upon user login, thereby stealthily achieving persistence.

Adversary Use of Re-opened Applications

Adversaries exploit macOS's "Re-opened Applications" feature by tampering with plist files, such as com.apple.loginwindow.<UUID>.plist, located in the user's ~/Library/Preferences/ByHost directory. This plist file contains the configuration for applications that are automatically relaunched when a user logs back in. Users typically opt into this feature via a prompt during logout, making it a trusted behavior.

To compromise this functionality, attackers manipulate the plist file using macOS commands. 

For example [12]:

This command displays the contents of the plist file, where adversaries can insert entries specifying their malicious applications. Each entry includes keys for the application's bundle identifier, background state, visibility settings, and file path. 

An example of a modified plist entry might look like this:

In doing so, the malware is automatically executed each time the user logs in, leveraging legitimate macOS functionality to maintain a covert presence.

#9.8. T1547.008 LSASS Driver

LSASS drivers in Windows are legitimate drivers loaded by the Local Security Authority Subsystem to manage various security policies. Adversaries target these drivers due to their high privilege level, which, when compromised, can grant deep system access, allowing for persistent and covert exploitation of the infected host system.

Adversary Use of LSASS Driver

The Local Security Authority Subsystem Service (LSASS) is a critical target for attackers due to its integral role in enforcing security policies, managing user authentication, and safeguarding sensitive information such as user credentials. Operating as a user-mode process through lsass.exe, LSASS relies on dynamic link libraries (DLLs) to perform its functions, making it an attractive vector for adversaries seeking persistent access to compromised systems. Attackers may exploit LSASS by injecting malicious code into its process, modifying system components, or manipulating registry keys to load unauthorized DLLs.

One method involves altering the undocumented registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaDbExtPt, enabling the loading of malicious DLLs into the LSASS process. This allows attackers to execute their code with elevated privileges, granting them deep system access. Beyond direct manipulation, adversaries may hijack the execution flow of legitimate LSASS components to ensure that their payload is initialized during system boot or user logon, embedding themselves deeply into the system's security framework. 

This persistence technique enables ongoing access, facilitates lateral movement, and allows attackers to remain undetected while interacting with other critical system processes. Such actions can disrupt security mechanisms, harvest credentials, and maintain a foothold for extended exploitation.

#9.9. T1547.009 Shortcut Modification 

Shortcut modifications refer to altering Windows shortcut files (LNK files), which are essentially pointers to an executable file. This technique involves changing a shortcut's properties, such as its target path, to redirect users to a program or script different from the one originally intended. The modification can be subtle, often keeping the shortcut's original icon and name, making it difficult for users to notice the change. 

Adversary Use of Shortcut Modification

By editing the target path of a shortcut or replacing it entirely, adversaries can deceive users into launching their malware under the guise of a familiar program. 

In the Ferocious Kitten APT campaign, this technique was employed to achieve persistence by exploiting the behavior of Windows shortcut files (.LNK). The adversaries deployed a malicious payload named "update.exe," which was initially dropped into a publicly accessible directory [13]. This payload was later renamed to "svehost.exe" to mimic legitimate system files and copied to the Windows Startup folder. By leveraging the Startup folder's inherent behavior, which automatically executes files placed within it during system login, the attackers ensured their payload would run every time the victim restarted their system. 

Although this campaign involved creating a new shortcut rather than modifying an existing one, it falls under the Shortcut Modification technique as it manipulates shortcut properties to redirect execution to a malicious program. The attackers also relied on subtle methods like deceptive naming conventions to avoid detection, maintaining persistence while blending into the system's legitimate processes.

#9.10. T1547.010 Port Monitors

Port monitors in Windows facilitate printer communications and can be exploited by adversaries for malicious purposes. By replacing or adding a port monitor DLL via the Windows Registry, adversaries can ensure their code is executed with high privileges by the print spooler service during system boot, achieving persistence and potential privilege escalation.

Adversary Use of Port Monitors

Adversaries exploit Windows port monitors to establish persistence and potentially escalate privileges by ensuring their malicious code executes during system boot with high-level permissions. Port monitors, integral to the printing process, are managed by the Print Spooler service (spoolsv.exe), which operates with SYSTEM-level privileges.

To leverage this, an adversary can register a custom port monitor that specifies a malicious DLL to be loaded at startup. This can be achieved by invoking the AddMonitor API call, designating the path to the malicious DLL. Alternatively, the adversary can directly modify the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors, creating a new subkey for their port monitor and setting its "Driver" value to the path of their malicious DLL. This DLL is typically placed in the C:\Windows\System32 directory to align with legitimate system files.

Upon the next system boot, the Print Spooler service loads all registered port monitor DLLs, including the malicious one, executing it with SYSTEM privileges. This grants the adversary persistent and elevated access to the system, allowing them to perform unauthorized actions and maintain control over the compromised environment.

This technique is particularly insidious because it abuses legitimate system functionality, making detection and mitigation challenging. Monitoring for unexpected modifications to the registry keys associated with port monitors and scrutinizing DLLs loaded by the Print Spooler service can aid in identifying such malicious activities.

#9.11. T1547.012 Print Processors 

Print processors, dynamic link libraries (DLLs) employed by the Windows print spooler service (spoolsv.exe), are crucial for managing print jobs, handling data formats, and print layouts. However, they can be exploited by adversaries for malicious purposes, such as achieving persistence and privilege escalation within the system.

Adversary Use of Print Processors 

Adversaries exploit print processors for persistence and privilege escalation by executing malicious DLLs during system boot. These DLLs are loaded by the print spooler service, spoolsv.exe. Attackers can add malicious print processors using the AddPrintProcessor API (requiring SeLoadDriverPrivilege) or by modifying the Windows Registry. 

A common method involves adding a key to this path, which should point to the malicious DLL.

The malicious DLL must be in the system print-processor directory or a relative path found using the GetPrintProcessorDirectory API. After installation, restarting the print spooler service activates the malicious print processor. The loaded DLL gains elevated privileges since this service runs with SYSTEM-level permissions.

For example, the Earth Lusca APT group used this method by executing [14]: 

This command creates a new print processor, UDPrint, with its driver set to spool.dll, a malicious DLL. Upon system boot and print spooler restart, spool.dll is executed with SYSTEM permissions.

Furthermore, the PipeMon malware, attributed to the Winnti hacking group, has demonstrated the use of this technique for achieving persistence [15]. The malware deploys a malicious DLL loader into the directory where print processors are stored and subsequently registers it as an alternative print processor by modifying registry values. 

To be more specific, the malware alters entries like "PrintFilterPipelineSvc" and "lltdsvc1" to point to its malicious DLLs, such as "DEment.dll" and "EntAppsvc.dll." 

This setup ensures that the malicious print processor is loaded each time the print spooler service starts, which occurs at every system boot, thus maintaining the malware's presence and control over the compromised system. 

#9.12. T1547.013 XDG Autostart Entries

XDG Autostart Entries in Linux are configuration files that enable applications to run automatically at user login. These entries specify scripts or programs to be executed, providing a method for software, including potentially malicious ones, to achieve persistence by ensuring their activation every time a user logs into the system, thus facilitating ongoing control or surveillance.

Adversary Use of XDG Autostart Entries

Adversaries targeting Linux systems can exploit XDG Autostart Entries to achieve persistence by executing malicious programs upon user login. This technique involves manipulating .desktop files in XDG Autostart directories such as 

/etc/xdg/autostart or 

~/.config/autostart. 

These files define applications that automatically launch when a user's desktop environment loads, providing an opportunity for attackers to ensure their malicious programs execute consistently.

A notable example of this technique was observed in campaigns conducted by the Transparent Tribe, also known as APT36, between late 2023 and April 2024 [16]. This group targeted Indian government, defense, and aerospace sectors, using Python-based ELF downloaders to create .desktop files in the ~/.config/autostart directory. These files were specifically crafted to execute malicious payloads whenever a user logged in, ensuring persistent access to compromised systems. To evade detection, the .desktop files were designed to mimic legitimate system files, reflecting the group's advanced operational methods and ability to blend malicious activity into normal system behavior.

In a similar but more recent case, the DISGOMOJI malware, identified in June 2024, also leveraged XDG Autostart Entries to maintain persistence on Linux systems [17]. As part of its attack strategy, DISGOMOJI dropped .desktop files such as GNOME_Core.desktop or GNOME_GNU.desktop into the ~/.config/autostart directory. These files were designed to ensure the malware's automatic execution at every user login, even after system reboots. To obfuscate its presence further, DISGOMOJI padded the content of the .desktop files with tens of thousands of # characters, which do not affect functionality but serve to confuse investigators or delay forensic analysis.

An example of the .desktop file content added by DISGOMOJI is as follows:

This configuration ensures that the executable /home/user/.x86_64-linux-gnu/vmcoreinfo is run automatically whenever the desktop environment loads. By leveraging XDG Autostart Entries in this manner, DISGOMOJI achieves a stealthy and reliable persistence mechanism, enabling its malicious activities to continue uninterrupted without requiring further interaction from the attacker. 

Together, these examples highlight the versatility and effectiveness of XDG Autostart Entries as a persistence technique on Linux systems, making it a preferred choice for advanced threat actors.

#9.13. T1547.014 Active Setup

Active Setup in Windows is designed to execute specific programs or scripts automatically at user login, mainly for configuring user profiles on the first login. Its ability to run code for each user profile makes it an attractive target for adversaries, who exploit this feature to achieve persistent and stealthy execution of malicious payloads across all user accounts.

Adversary Use of Active Setup

Adversaries frequently exploit the Windows Active Setup mechanism to achieve persistence on a target system. Active Setup is a legitimate Windows feature designed to execute programs when a user logs in for the first time. By creating a custom registry key under:

and specifying a malicious executable path in the StubPath value, attackers ensure that the program is executed whenever a user logs in. This allows the malicious payload to run under the user's permissions, inheriting their privilege level.

For example, in a malware sample analyzed in January 2024 within a sandbox environment, a malicious StubPath was observed pointing to [18]:

Another example is coming from the backdoor trojan Poisonivy, which uses this technique for persistence. Detected by Microsoft Defender Antivirus as Backdoor:Win32/Poisonivy.E, Poisonivy is known for unauthorized access and control capabilities. It modifies the registry to ensure automatic execution:

This command adds a StubPath value pointing to c:\windows:svvchost.exe, a malicious executable. When a user logs in, this executable is automatically launched, allowing Poisonivy to maintain persistence and control over the machine. The trojan further hides its presence by injecting itself into processes like iexplore.exe, evading firewall detection and executing commands received from a remote server. 

The Active Setup attack technique, characterized by the abuse of inherent system features, presents a significant challenge for mitigation through preventive controls. Since it leverages legitimate functionalities and processes of the operating system, distinguishing between normal and malicious use becomes complex. Standard preventive measures may not effectively counteract these tactics without potentially impacting regular system operations, necessitating a more nuanced approach to detection and response.

#9.14. T1547.015 Login Items

Login items in macOS are applications, documents, folders, or server connections that automatically launch when a user logs into their account. Designed for convenience, they allow frequently used programs and files to be readily accessible at session start. Users manage these items through System Preferences, customizing their startup routine. This feature's ability to execute programs automatically makes it an attractive target for adversaries seeking persistence or privilege escalation.

Adversary Use of Login Items

Adversaries exploit macOS login items to launch malicious software automatically upon user login, aiming for persistence or privilege escalation. These login items, including applications, documents, folders, or server connections, are added using scripting languages like AppleScript. Particularly in macOS versions prior to 10.5, AppleScript is utilized to send Apple events to the "System Events" process, manipulating login items for malicious purposes.

Additionally, adversaries may employ Native API calls, leveraging the Service Management Framework, which involves API calls such as SMLoginItemSetEnabled. This technique enables the discreet insertion of harmful programs into the user's login sequence. By using both shared file list login items and the Service Management Framework, adversaries effectively maintain a stealthy presence within the system. 

Here's an example of a command that adversaries might use [19].

When executed, this command adds the specified path to the list of applications that automatically start upon user login, with the hidden:true property ensuring the application runs without displaying any visible interface to the user. This stealthy method allows the malicious software to execute unnoticed, achieving persistence on the system. 

Such an attack technique is challenging to mitigate with preventive controls due to its reliance on the abuse of legitimate system features. The script leverages standard macOS functionalities designed for user convenience, making it difficult to distinguish between benign and malicious use without impacting normal operations.

References

[1] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

[2] T. Pereira, “Threat actor believed to be spreading new MedusaLocker variant since 2022,” Cisco Talos Blog, Oct. 03, 2024. Available: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/. [Accessed: Dec. 09, 2024]

[3] “Analysis PO 4500580954.exe (MD5: 33F8D6808E46166B89B9E45C6BE99584) Malicious activity - Interactive analysis ANY.RUN.” Available: https://app.any.run/tasks/1d05d194-7423-49f6-a0ef-0d964abaad0e. [Accessed: Dec. 09, 2024]

[4] Joe Security LLC, “Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox,” Joe Security LLC. Available: https://www.joesandbox.com/analysis/776315/0/html. [Accessed: Dec. 15, 2023]

[5] Joe Security LLC, “Automated Malware Analysis Report for lsass.exe - Generated by Joe Sandbox,” Joe Security LLC. Available: https://www.joesandbox.com/analysis/1451836/0/html. [Accessed: Dec. 09, 2024]

[6] F. Roth, F. Ploss, B. Deibel, M. Hirtz, and P. Hager, “Unveiling KamiKakaBot - Malware Analysis - Nextron Systems,” Mar. 22, 2024. Available: https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/. [Accessed: Dec. 09, 2024]

[7] “Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for ‘Mandela.exe.’” Available: https://www.hybrid-analysis.com/sample/c6818da28a36a7ed628e5a86ede3a642b609b34b2f61ae4dba9a4814d6822d2f/663e52537f9f4475f20d101b. [Accessed: Dec. 09, 2024]

[8] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. Available: https://github.com/gentilkiwi/mimikatz. [Accessed: Dec. 28, 2023]

[9] “Empire/Invoke-TokenManipulation.ps1 at master · EmpireProject/Empire,” GitHub. Available: https://github.com/EmpireProject/Empire. [Accessed: Dec. 12, 2022]

[10] “MAR-10135536-8 – North Korean Trojan: HOPLIGHT,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/analysis-reports/ar19-100a. [Accessed: Dec. 28, 2023]

[11] A. Ishiaku, “Snapekit detection with,” Wazuh, Oct. 30, 2024. Available: https://wazuh.com/blog/snapekit-detection-with-wazuh/. [Accessed: Dec. 09, 2024]

[12] “[No title].” Available: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf. [Accessed: Dec. 28, 2023]

[13] GReAT, “Ferocious Kitten: 6 years of covert surveillance in Iran,” Kaspersky, Jun. 16, 2021. Available: https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/. [Accessed: Dec. 13, 2024]

[14] “[No title].” Available: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf. [Accessed: Dec. 29, 2023]

[15] I. Ilascu, “New PipeMon malware uses Windows print processors for persistence,” BleepingComputer, May 21, 2020. Available: https://www.bleepingcomputer.com/news/security/new-pipemon-malware-uses-windows-print-processors-for-persistence/. [Accessed: Dec. 29, 2023]

[16] “Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages,” BlackBerry, May 22, 2024. Available: https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors. [Accessed: Dec. 16, 2024]

[17] Volexity, “DISGOMOJI Malware Used to Target Indian Government,” Volexity, Jun. 13, 2024. Available: https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/. [Accessed: Dec. 16, 2024]

[18] Joe Security LLC, “Automated Malware Analysis Report for Setup.exe - Generated by Joe Sandbox,” Joe Security LLC. Available: https://www.joesandbox.com/analysis/1372254/0/html. [Accessed: Dec. 16, 2024]

[19] “Boot or Logon Autostart Execution: Login Items.” Available: https://attack.mitre.org/techniques/T1547/015/. [Accessed: Dec. 29, 2023]