.svg)
.svg)
During a system startup, Boot Logon and Auto Start Execution take place automatically to ensure secure access to resources and provide necessary functionality from the moment the computer system is operational. While system administrators use these processes to streamline the user experience, adversaries exploit Boot Logon and Auto Start Execution to maintain persistence or elevate privileges on compromised systems.
In this blog, we explain the T1547 Boot or Logon Autostart Execution technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
What Is Boot Logon and Auto Start Execution?
Boot Logon and Auto Start Execution are integral components of modern computing systems, functioning to streamline and manage the initiation of processes and applications during the startup phase of a computer and upon user login.
Boot Logon
Boot Logon encompasses the series of actions and procedures triggered when a computer is powered on and begins loading the operating system. This phase is crucial for setting up the computer's environment, involving the loading of
- the system's basic input/output system (BIOS),
- Unified Extensible Firmware Interface (UEFI),
- the initialization of hardware components, and
- the launching of essential operating system services.
The primary objective of Boot Logon is to ensure that the foundational elements of the system are correctly loaded and configured, providing a stable and operational platform for the user and any subsequent processes.
Auto Start Execution
Auto Start Execution, on the other hand, refers to the automatic launching of certain programs, scripts, or services either when a user logs into the system or under specific pre-set conditions. This feature enhances user convenience and system efficiency by ensuring that frequently used applications or essential system services, such as security software and system monitoring tools, are readily available without manual intervention. Auto Start Execution can be configured through various mechanisms within the operating system, including but not limited to specific registry keys in Windows environments, startup folders, or the creation of scheduled tasks.
Together, Boot Logon and Auto Start Execution form a critical part of the user experience and system functionality, enabling a seamless transition from system startup to operational readiness by automating the initiation of key processes and applications. While these features are designed with efficiency and user convenience in mind, they also demand careful management and oversight to prevent misuse, particularly in the context of unauthorized or malicious software seeking to exploit these mechanisms for persistence or unauthorized activities.
Adversary Use of Boot or Logon Autostart Execution
Adversaries can exploit Boot or Logon Autostart Execution mechanisms to achieve persistence, privilege escalation, and stealth in a compromised system. By leveraging these features, malicious actors can ensure their malware or tools are automatically executed whenever the system boots up or a user logs in. This can be particularly challenging to detect and remove, as the processes can embed themselves deeply within the system's normal operations.
Here are some common ways adversaries might use these mechanisms:
- Persistence: Malware can insert entries into places where Boot or Logon Autostart Execution is configured, such as the Windows Registry (e.g., Run, RunOnce keys), startup folders, or scheduled tasks. This ensures that the malware is launched every time the system starts or when a user logs in, maintaining the adversary's presence on the system.
- Privilege Escalation: Some autostart methods can be exploited to run code with higher privileges. For instance, if malware can write to an autostart location that is executed with administrative privileges, it can effectively escalate its privileges on the system.
- Stealth: By embedding themselves in normal boot or logon processes, malicious programs can operate under the guise of legitimate processes, making detection more difficult. This can be particularly effective if the malware mimics or replaces legitimate system files or services.
- Bypassing Security Software: Some malware targets autostart locations that are executed before certain security software, allowing the malware to run and potentially disable or evade detection by the security tools.
- Remote Control Execution: By ensuring their code is executed at startup or logon, adversaries can establish backdoors, enabling remote control over the system or allowing continuous surveillance and data exfiltration.
- Spreading and Lateral Movement: Some types of malware use autostart mechanisms to spread themselves across networks. For example, once they gain access to a system, they can add scripts or executables to autostart locations that will infect other systems on the network.
To defend against misuse of autostart features, it is advised to restrict write access to these areas, use security software for detection, regularly audit autostart settings, and educate users about software risks.
Sub-techniques of T1547 Boot or Logon Autostart Execution
T1547.001 Registry Run Keys / Startup Folder
Registry Run Keys and the Startup Folder in Windows are designated areas where programs are configured to launch automatically at system boot or user login. Located within the Windows Registry and the file system, respectively, these features are designed for convenience, allowing applications and scripts to initialize immediately upon startup and enhancing user experience by providing immediate access to frequently used programs and services.
Adversaries target Windows Run keys and the Startup folder for persistence, as these Registry areas control automatic application launches at login or boot. By manipulating them, malicious software can be consistently executed, allowing the adversary to maintain a presence on a compromised system and exploit mechanisms for legitimate auto-start processes.
Uncover the Top 10 MITRE ATT&CK Techniques
1. Exploiting Registry Run Keys for Persistence
By adding entries to Run Keys, malicious actors can execute their payloads, ensuring their programs activate during user logins and inherit the user's permissions for enhanced access.
The primary run keys targeted are as follows:
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
Additionally, although not a default feature on newer Windows systems, adversaries can utilize the following key to load additional components like DLLs during logon.
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
For instance, the following command demonstrates how to use the Windows Registry to load a DLL file during the logon process [1]. Specifically, it adds a new entry to the RunOnceEx key within the Windows Registry.
|
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\malicious[.]dll" |
This key, "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend", is created with the command "reg add", and it is configured to load a DLL named "malicious[.]dll" from the "C:\temp" directory. The "/v 1" specifies the value name, and "/d" assigns the data, which in this case is the path to the DLL file. This method is often used for executing tasks once at the next system startup, and in this context, it's shown as a way to load a malicious DLL file.
In another instance, Chinese hackers have achieved persistence by inserting a specific registry key, enabling the malware to launch during system startup [2].
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gvlc |
We also see the same approach in CISA's cybersecurity advisory on Qakbot malware (AA23-242A) in August 2023, where QakBot established persistence by adding a particular registry key to be run at startup. [3].
As a final example, in October 2023, during malware analysis within a sandbox on a Windows system, the following registry entry was discovered as an artifact [4]:
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5 C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe |
This specific entry reveals that a program, "ExtreamFanV5.exe", located in the user's AppData\Local directory, has been configured to start automatically with each user login on their Windows account. The executable's path is appended to the Run key within the HKCU branch of the Windows Registry, ensuring its execution upon every user login. Consequently, this facilitates persistent access or activity without necessitating manual intervention by the user every time the system starts.
2. Startup Folder Technique as a Vector for Persistence
Adversaries often exploit the startup folder method by placing malicious executables in locations that Windows automatically checks during user logon. These folders include a specific directory for individual user accounts and a general one that applies system-wide. The correct paths are as follows:
|
# Individual User Startup Folder C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup # System-wide Startup Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
By placing their malware in these folders, adversaries can trigger automatic execution of these programs at each user logon, furthering their goal of persistent system access.
For instance, as disclosed in June 2023, Fractureiser malware used this technique [5]. The malware first locates the AppData directory, a common place to hide since files here are often overlooked during manual inspections. The adversary is using the environment variable or defaulting to a standard path.
|
appData = System.getenv("APPDATA"); |
Next, the malware then locates the Windows Startup directory. By placing itself or a script here, the malware ensures it is executed every time the user logs in, thus gaining persistence.
|
windowsStartupDirectory = path.resolve(Paths.get("Microsoft", "Windows", "Start Menu", "Programs", "Startup")); |
The malware seems to be masquerading as a seemingly legitimate file (perhaps imitating a component of Microsoft Edge). This obfuscation can help it avoid detection by both users and antivirus software.
|
if (windows) { |
In summary, this code snippet is part of a sophisticated malware program designed to establish persistence on Windows systems. It achieves this by placing itself or a component in the system's startup folders, ensuring execution at every log-in. The malware uses environment variables and standard paths to find these directories and then checks for write permissions, indicating an intention to modify these directories.
3. Manipulating Registry for Startup and Service Control
To further establish their presence, adversaries may modify additional registry keys that influence startup folder items or control the automatic startup of services during system boot. They commonly alter entries within both the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE branches, impacting user shell folders and service startup configurations. This manipulation involves keys such as:
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices |
For example, the command below adds a new value to the RunServicesOnce key within the HKEY_LOCAL_MACHINE hive, instructing Program.exe to execute during the next system startup [6]:
|
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v "MyService" /d "C:\Path\To\Malicious\Program.exe" |
Given that this attack focuses on HKEY_LOCAL_MACHINE (HKLM), it has ramifications for all users on the system. However, if HKEY_CURRENT_USER (HKCU) were utilized, it would specifically target the current user.
The provided example from a sandbox report accurately depicts how malware often utilizes the 'push' command to load the address of a specific Windows Registry key onto the stack. This action suggests the malware's intention to manipulate system settings for persistence [4].
|
Opcode |
Instruction |
Meta Information |
|
68F8EA4D00 |
push 004DEAF8h |
UTF-16 "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce" |
This specific line of meta information illustrates the malware's preliminary step in modifying the RunServicesOnce registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion. By targeting this key, the malware aims to insert its own executable path, ensuring that its payload is automatically launched once upon the next system startup.
This tactic is a clear sign of the malware's strategy to maintain its presence on the infected system. After the initial infection, this step is crucial for the malware's lifecycle, enabling it to survive reboots and continue its operations (which could range from data exfiltration to further system compromise) without further user interaction or detection.
4. Boot Execution as an Infiltration Method
The adversaries may also target the BootExecute value in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager. By default, this key is set for system integrity checks but can be exploited to run additional malicious programs or processes at system boot, ensuring their activation before many security measures are in place.
In summary, through these various methods, adversaries aim to install and operate malware, including remote access tools, in a manner that survives system reboots and evades detection. Often, they employ masquerading techniques, making their registry entries appear legitimate to blend in with authentic system processes. This strategic manipulation of autostart execution mechanisms underscores the importance of vigilant monitoring and robust security practices in protecting against persistent threats.
T1547.002 Authentication Package
Authentication packages in Windows are crucial for the operating system's management of logon processes and security protocols. These packages, typically in the form of Dynamic Link Libraries (DLLs), are loaded by the Local Security Authority (LSA) process at system startup. Their primary role is to facilitate various logon processes and implement security protocols, making them an integral component of the authentication system in Windows.
Adversaries often exploit Windows systems by manipulating the Registry to gain persistent and elevated access. A common tactic involves targeting the HKLM\SYSTEM\CurrentControlSet\Control\Lsa key, which is critical for authentication processes. To achieve this, attackers might execute a command like the following:
|
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "C:\Path\To\evil.dll" /f |
This command adds their malicious DLL (evil.dll) to the list of authentication packages. When the system boots, the LSA process, which runs with high privileges, loads this DLL. Consequently, the malicious code gains elevated privileges and executes seamlessly within the system context. By embedding their code in such a critical system process, adversaries ensure that their payload remains active and undetected, executing with every system startup.
For example, according to CISA's cybersecurity advisory released in December 2023 [7], the Russian Foreign Intelligence Service (SVR) runs the following reg command on their victim's system:
|
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v NoLMHash /t REG_DWORD /d "0" /f |
This command targets the NoLMHash value within the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa path of the Registry. However, setting the NoLMHash value to 0 does not disable a security feature. Instead, it enables the storage of LM hash values of passwords. LM hashes are less secure due to their vulnerability to brute-force attacks, and modern Windows systems typically do not store LM hashes by default for enhanced security. Therefore, this command actually weakens password security by enabling the storage of these less secure hashes.
In addition, the Russian Foreign Intelligence Service (SVR) also modified the DisableRestrictedAdmin key to enable remote connections with the following reg command [7].
|
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /f |
This command specifically targets the DisableRestrictedAdmin value within the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa path. By setting DisableRestrictedAdmin to 0 and using the /f flag to force the update, the SVR effectively disabled the Restricted Admin mode for Remote Desktop Protocol (RDP) connections. Restricted Admin mode is a security feature in Windows that, when enabled, provides a more secure environment for RDP by not allowing credentials to be sent to the remote system. By disabling this feature, the SVR enhanced its ability to remotely connect to compromised systems without the usual security restrictions imposed by Windows.
T1547.003 Time Providers
In Windows, the W32Time service ensures time synchronization within and across domains. Time providers within this service, implemented as DLLs, fetch and distribute time stamps from various sources. They are registered in the Windows Registry, making them attractive targets for adversaries who can replace legitimate DLLs with malicious ones to exploit this crucial synchronization mechanism for nefarious purposes.
Adversaries aiming to maintain persistence on a Windows system may target the W32Time service, a critical component for time synchronization in network operations. They achieve this by manipulating a specific registry key:
|
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\ |
By obtaining administrative privileges, attackers can alter this registry key to include a malicious DLL. This is typically done using the reg add command. For instance, they might add a new subkey to register their malicious DLL as a time provider using a command like:
|
"HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\MyMaliciousTimeProvider" /v "DllName" /d "C:\Path\To\Malicious.dll" /f |
This method is covert and effective, embedding the malware within an essential system service. When the system boots up or the W32Time service is restarted, the service control manager loads the registered time providers, including the malicious DLL. This DLL, running under the Local Service account, possesses sufficient privileges to carry out various malicious activities, exploiting the critical role of the time synchronization service in network operations.
To mitigate the risk of adversaries exploiting the W32Time service in Windows systems, a combination of restrictive measures is essential. Implementing Group Policy to restrict file and directory permissions can prevent unauthorized modifications to W32Time DLLs, blocking the insertion of malicious code. Simultaneously, restricting registry permissions through Group Policy is crucial for safeguarding W32Time registry settings against unauthorized changes.
T1547.004 Winlogon Helper DLL
Winlogon Helper DLLs extend the functionality of the Windows Logon process, executing code during user sessions. Integral to system operations, these DLLs are loaded by Winlogon, which manages user logins, security, and interface. Due to their elevated privileges and critical role in system processes, adversaries frequently exploit these DLLs to stealthily execute malicious code, gaining persistent, high-level access to compromised systems.
By strategically modifying specific registry entries, adversaries can manipulate Winlogon to load and execute malicious DLLs and executables during login events.
They typically focus on keys like the following, which are pivotal for Winlogon's helper functionalities.
|
HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
|
Common tactics include
- altering the Winlogon\Shell key to replace the default system shell with a malicious executable
- modifying Winlogon\Userinit to change the standard userinit.exe to a custom executable
- adding new notification package DLLs through Winlogon\Notify
These changes cause the malicious files to execute under the context of the logged-in user or the Local System account, providing the adversaries with a reliable method for maintaining access.
For instance, according to CISA's cybersecurity advisory published in May 2023, LockBit 3.0, a sophisticated ransomware variant, utilizes the Winlogon Helper DLL technique by manipulating the Windows Registry to enable automatic logon [8]. It sets specific keys within SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon — namely AutoAdminLogon, DefaultUserName, DefaultDomainName, and DefaultPassword — to configure Windows to automatically log in with predetermined credentials. This setup allows the ransomware to gain immediate access upon system reboot, ensuring that its malicious activities, like encryption of files, can resume uninterrupted.
T1547.005 Security Support Provider
Security Support Providers (SSPs) in Windows are dynamic libraries that provide authentication and security services, typically loaded into the Local Security Authority (LSA) process. They handle sensitive tasks like password authentication. Adversaries target SSPs to load malicious DLLs, exploiting their integral role and privileges for persistence and access to sensitive data, such as plaintext and encrypted passwords, often leading to privilege escalation.
Adversaries frequently target Windows Security Support Providers (SSPs) to gain persistent access and escalate privileges. By injecting malicious DLLs into the LSA process, they exploit SSPs' central role in authentication. This often involves modifying registry keys like the following to control SSP loading at startup.
|
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages |
For instance, using the following command, they can add a malicious SSP.
|
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages" /v "MyMaliciousSSP" /d "C:\Path\To\Malicious.dll" /f |
Tools like PowerSploit or Mimikatz [9] can simplify this process, offering functionalities like Install-SSP and Invoke-Mimikatz for installing SSPs and logging authentication events. Additionally, frameworks like Empire [10] can enumerate existing SSPs, providing adversaries with a comprehensive toolkit for manipulating these critical components.
For instance, as disclosed by CISA, the North Korean Trojan HOPLIGHT utilized a technique involving the manipulation of SSPs by targeting the LSASS in Windows [11]. HOPLIGHT specifically modified the Security Packages registry key within SYSTEM\CurrentControlSet\Control\Lsa to allow the Trojan to inject its malicious code into the authentication process handled by LSASS. By doing so, HOPLIGHT gained the ability to intercept and manipulate sensitive security data, such as passwords, and potentially escalated its privileges within the system.
This sophisticated approach not only facilitated persistent access to the compromised system but also significantly compromised its security integrity, thereby demonstrating the advanced capabilities of state-sponsored cyber threats.
T1547.006 Kernel Modules and Extensions
Kernel modules in Linux (Loadable Kernel Modules, or LKMs) and kernel extensions in macOS (kexts) are components used to extend the core functionality of the system's kernel without needing to reboot. These modules and extensions can dynamically add capabilities to the kernel, allowing for hardware support, file system extensions, and other low-level operations directly within the kernel's domain.
Adversaries may exploit kernel modules and extensions to achieve persistence and privilege escalation on systems by modifying the kernel to execute programs on system boot. This approach targets LKMs in Linux and kexts in macOS, both of which are used to extend kernel functionality without rebooting the system.
1. Exploiting Loadable Kernel Modules (LKMs) in Linux
In this section, we assume that the adversary has gained access to a Linux system and has escalated their privileges to obtain root access, which is a necessary step for loading kernel modules.
The adversary may write a malicious LKM in C, customizing it to perform tasks such as hiding files and processes, establishing backdoors, or providing unauthorized root access. To ensure compatibility, the malicious module is compiled using Linux kernel headers. A typical command for this compilation process is as follows:
|
make -C /lib/modules/$(uname -r)/build M=$(pwd) modules |
This command compiles loadable kernel modules in Linux. It utilizes the 'make' tool to build modules, with the '-C' option indicating the kernel's build directory that matches the current kernel version (determined by $(uname -r)). The 'M=$(pwd)' portion specifies the directory where the module's source code is located. This ensures that the module is compiled against the appropriate kernel headers, ensuring compatibility with the currently running kernel.
Subsequently, with root privileges, the adversary employs either 'insmod' or 'modprobe' to load the module into the kernel. For instance:
|
insmod malicious_module.ko |
Once loaded, the LKM operates with kernel-level privileges, granting the adversary the ability to manipulate system operations and maintain persistence, often by executing automatically upon system boot.
As a recent case in point, in October 2023, the Qubitstrike malware campaign introduced the 'Diamorphine' LKM (loadable kernel module) rootkit [12], aiding in the concealment of specific processes from monitoring tools.
2. Exploiting Kernel Extensions (kexts) in macOS
For this technique, adversaries first develop a malicious kernel extension (kext) for macOS, typically written in C or C++. This kext is designed to carry out malicious actions, such as establishing backdoors, hiding files, or intercepting user activities. They compile the kext using Xcode, Apple's integrated development environment, with a command like:
|
xcodebuild -target [KextNameDecided] -configuration Release |
This command compiles the kext against macOS kernel headers, ensuring compatibility with the targeted macOS version.
Next, to bypass macOS's security measures, adversaries must address the signing of the kext. Ideally, they use a developer ID certificate granted by Apple, but this is often not feasible for malicious activities. Therefore, they might target systems with System Integrity Protection (SIP) disabled, allowing unsigned kexts to be loaded. Alternatively, they may use social engineering or other methods to trick users into disabling SIP.
With SIP disabled, the adversary then loads the kext into the system using the kextload command:
|
sudo kextload /path/to/malicious.kext |
Once the kext is loaded, it operates with kernel-level privileges, providing the adversary with significant control over the system. This can include executing code with elevated privileges, modifying system processes, or remaining hidden from traditional security tools.
T1547.007 Re-opened Applications
Re-opened applications in macOS automatically start upon user login, a feature designed for user convenience. This is facilitated through a property list file, which records applications running during the last logout. Adversaries exploit this by inserting malicious applications into this list, ensuring their automatic execution upon user login, thereby stealthily achieving persistence.
Adversaries harness macOS's re-opened applications feature to establish persistence by manipulating a plist file, such as com.apple.loginwindow.<UUID>.plist, found in the user's ~/Library/Preferences/ByHost directory. This file stores the configuration for applications to be automatically relaunched when a user logs back in—a feature users opt into for convenience via a prompt during logout. Malicious actors append their own entries into this plist using commands like [13]:
|
$ plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist |
This outputs the plist's contents, where attackers can add entries with keys specifying the bundle identifier and path to their malware.
For example:
|
{ |
In doing so, the malware is automatically executed each time the user logs in, leveraging legitimate macOS functionality to maintain a covert presence.
T1547.008 LSASS Driver
LSASS drivers in Windows are legitimate drivers loaded by the Local Security Authority Subsystem to manage various security policies. Adversaries target these drivers due to their high privilege level, which, when compromised, can grant deep system access, allowing for persistent and covert exploitation of the infected host system.
Adversaries can achieve persistent access to compromised systems by modifying or adding drivers associated with the LSASS. Within the Windows security architecture, LSASS plays a crucial role in enforcing security policies and managing user authentication. This service, running as the 'lsass.exe' process, incorporates multiple DLLs connected to different security functions.
By targeting these LSASS drivers, adversaries can gain persistent control. This is achieved through either replacing existing drivers or adding unauthorized ones, a technique known as "Hijack Execution Flow". Through such modifications, attackers can exploit the LSA operations to repeatedly execute malicious payloads, leveraging the high privileges and core functionalities of LSASS. This approach provides a stealthy and robust method for attackers to maintain their presence within the system and carry out their activities without easy detection.
For instance, the Wingbird malware, identified as Backdoor:Win32/Wingbird.A!dha, enters target systems through spear-phishing and an Adobe Flash exploit. It targets critical processes, injecting code into 'winlogon.exe' and 'services.exe' processes. Notably, it replicates 'lsass.exe' in a directory such as "\ProgramData\AuditService" and places the malicious 'sspisrv.dll' alongside it. This setup allows 'sspisrv.dll' to execute as a driver before the replicated 'lsass.exe' crashes. Consequently, 'sspisrv.dll' injects code into 'svchost.exe', turning it into a backdoor for command execution and data exfiltration, exploiting the system while masquerading as legitimate operations. This attack exemplifies sophisticated methods used to compromise LSASS for persistent system access and control. [14]
T1547.009 Shortcut Modification
Shortcut modifications refer to altering Windows shortcut files (LNK files), which are essentially pointers to an executable file. This technique involves changing a shortcut's properties, such as its target path, to redirect users to a program or script different from the one originally intended. The modification can be subtle, often keeping the shortcut's original icon and name, making it difficult for users to notice the change.
By editing the target path of a shortcut or replacing it entirely, adversaries can deceive users into launching their malware under the guise of a familiar program.
For instance, as disclosed in February 2023 in the IceBreaker malware attack, adversaries craftily use LNK files as an infiltration tool [15]. They lure customer service representatives of gaming companies into downloading these LNK files, which are disguised as innocuous images.
Once executed, these shortcuts initiate a download of an MSI (Microsoft Installer) package from the attacker's C2 server, which contains a complex payload named "Port.exe". This executable, a sophisticated backdoor, is designed to evade detection and establish persistence by creating a new LNK file in the Windows startup folder. This method ensures that the malware is reactivated with each system boot, maintaining the attacker's access and control over the compromised system.
Another example, as highlighted by CISA's AA22-083A security advisory, involves Russian cyber actors manipulating LNK files to conduct credential harvesting [16]. They altered the icon path in the shortcut files to point to a remote server under their control. When a user navigated to the directory containing the modified shortcut, Windows attempted to retrieve the icon from this server, unknowingly initiating an SMB session. This session inadvertently transmitted the user's credentials to the threat actors. Such a strategy exemplifies the effectiveness of shortcut modification in achieving both persistence and facilitating sophisticated cyber espionage.
T1547.010 Port Monitors
Port monitors in Windows facilitate printer communications and can be exploited by adversaries for malicious purposes. By replacing or adding a port monitor DLL via the Windows Registry, adversaries can ensure their code is executed with high privileges by the print spooler service during system boot, achieving persistence and potential privilege escalation.
By setting a port monitor to load a malicious DLL at startup, adversaries can execute code as SYSTEM, the highest level of privilege in Windows. This technique involves modifying a specific registry key to point to a malicious DLL. The key of interest is HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors, which contains entries for various types of print monitors like Local Port, Standard TCP/IP Port, and WSD Port, etc [17]. Adversaries can add a new entry or modify an existing one to load their DLL.
For instance, an adversary might execute a command like:
|
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\MyCustomMonitor" /v "Driver" /t REG_SZ /d "C:\Windows\System32\malicious.dll" /f |
This command adds a new port monitor named "MyCustomMonitor" with a driver value pointing to a malicious DLL located in the System32 directory. When the system boots, the print spooler service spoolsv.exe, which runs with SYSTEM privileges, loads this DLL, thereby executing the malicious code with high-level access.
The strategic choice of this registry key and the associated service for persistence lies in the typical trust and elevated privileges granted to the printing subsystem in Windows environments. This method enables the malware to persist across reboots and operate with significant control over the system, making it a preferred tactic for sophisticated adversaries aiming for deep system integration.
T1547.012 Print Processors
Print processors are dynamic link libraries (DLLs) employed by the Windows print spooler service (spoolsv.exe), and they are crucial for managing print jobs, handling data formats, and print layouts. However, they can be exploited by adversaries for malicious purposes, such as achieving persistence and privilege escalation within the system.
Adversaries exploit print processors for persistence and privilege escalation by executing malicious DLLs during system boot. These DLLs are loaded by the print spooler service, spoolsv.exe. Attackers can add malicious print processors using the AddPrintProcessor API (requiring SeLoadDriverPrivilege) or by modifying the Windows Registry.
A common method involves adding a key to this path, which should point to the malicious DLL.
|
HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver |
The malicious DLL must be in the system print-processor directory or a relative path found using the GetPrintProcessorDirectory API. After installation, restarting the print spooler service activates the malicious print processor. The loaded DLL gains elevated privileges since this service runs with SYSTEM-level permissions.
For example, the Earth Lusca APT group used this method by executing [18]:
|
reg add "HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint" /v Driver /d "spool.dll" /f |
This command creates a new print processor, UDPrint, with its driver set to spool.dll, a malicious DLL. Upon system boot and print spooler restart, spool.dll is executed with SYSTEM permissions.
Furthermore, the PipeMon malware, attributed to the Winnti hacking group, has demonstrated the use of this technique for achieving persistence [19]. The malware deploys a malicious DLL loader into the directory where print processors are stored and subsequently registers it as an alternative print processor by modifying registry values.
To be more specific, the malware alters entries like "PrintFilterPipelineSvc" and "lltdsvc1" to point to its malicious DLLs, such as "DEment.dll" and "EntAppsvc.dll".
|
HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = "DEment.dll" |
This setup ensures that the malicious print processor is loaded each time the print spooler service starts, which occurs at every system boot, thus maintaining the malware's presence and control over the compromised system.
T1547.013 XDG Autostart Entries
XDG Autostart Entries in Linux are configuration files that enable applications to run automatically at user login. These entries specify scripts or programs to be executed, providing a method for software, including potentially malicious ones, to achieve persistence by ensuring their activation every time a user logs into the system, thus facilitating ongoing control or surveillance.
Adversaries targeting Linux systems can exploit XDG Autostart Entries for persistence by executing malicious programs upon user login. This technique involves manipulating .desktop files in XDG Autostart directories like
- /etc/xdg/autostart
- ~/.config/autostart
These files define applications to launch when a user's desktop environment loads.
For instance, in the case of the Netwire malware, it alters the XDG Autostart Entries for persistence [20]. The malware creates a .desktop file with contents similar to the following:
|
[Desktop Entry] |
This file, when placed in an autostart directory such as ~/.config/autostart, would execute the specified command (/home/user/.config/dbus-notifier/dbus-inotifier) at every desktop environment startup. Netwire's approach often includes masquerading techniques, naming the .desktop file and the executable in a manner that mimics legitimate system processes, thereby evading detection.
By leveraging XDG Autostart Entries in this way, Netwire ensures its persistent activation on the infected system, being automatically re-executed every time the user logs in.
T1547.014 Active Setup
Active Setup in Windows is designed to execute specific programs or scripts automatically at user login, mainly for configuring user profiles on the first login. Its ability to run code for each user profile makes it an attractive target for adversaries, who exploit this feature to achieve persistent and stealthy execution of malicious payloads across all user accounts.
Adversaries often use Active Setup in Windows for persistence by adding a Registry key that executes a program upon user login. Active Setup, a Windows mechanism designed to run programs after a user logs in, can be manipulated by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious path for StubPath. This path points to the program that will run when the user logs into the computer. Executed under the user's context, it will have the permissions level associated with that account.
For example, the backdoor trojan Poisonivy uses this technique for persistence. Detected by Microsoft Defender Antivirus as Backdoor:Win32/Poisonivy.E, Poisonivy is known for unauthorized access and control capabilities. It modifies the registry to ensure automatic execution:
|
reg add "HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>" /v "StubPath" /d "c:\windows:svvchost.exe" /f |
This command adds a StubPath value pointing to c:\windows:svvchost.exe, a malicious executable. When a user logs in, this executable is automatically launched, allowing Poisonivy to maintain persistence and control over the machine. The trojan further hides its presence by injecting itself into processes like iexplore.exe, evading firewall detection and executing commands received from a remote server.
The Active Setup attack technique, characterized by the abuse of inherent system features, presents a significant challenge for mitigation through preventive controls. Since it leverages legitimate functionalities and processes of the operating system, distinguishing between normal and malicious use becomes complex. Standard preventive measures may not effectively counteract these tactics without potentially impacting regular system operations, necessitating a more nuanced approach to detection and response.
T1547.015 Login Items
Login items in macOS are applications, documents, folders, or server connections that automatically launch when a user logs into their account. Designed for convenience, they allow frequently used programs and files to be readily accessible at session start. Users manage these items through System Preferences, customizing their startup routine. This feature's ability to execute programs automatically makes it an attractive target for adversaries seeking persistence or privilege escalation.
Adversaries exploit macOS login items to launch malicious software automatically upon user login, aiming for persistence or privilege escalation. These login items, including applications, documents, folders, or server connections, are added using scripting languages like AppleScript. Particularly in macOS versions prior to 10.5, AppleScript is utilized to send Apple events to the "System Events" process, manipulating login items for malicious purposes.
Additionally, adversaries may employ Native API calls, leveraging the Service Management Framework, which involves API calls such as SMLoginItemSetEnabled. This technique enables the discreet insertion of harmful programs into the user's login sequence. By using both shared file list login items and the Service Management Framework, adversaries effectively maintain a stealthy presence within the system.
Here's an example of a command that adversaries might use [21].
|
tell application "System Events" to make login item at end with properties {path:"/path/to/malicious/executable", hidden:true}. |
When executed, this command adds the specified path to the list of applications that automatically start upon user login, with the hidden:true property ensuring the application runs without displaying any visible interface to the user. This stealthy method allows the malicious software to execute unnoticed, achieving persistence on the system.
Such an attack technique is challenging to mitigate with preventive controls due to its reliance on the abuse of legitimate system features. The script leverages standard macOS functionalities designed for user convenience, making it difficult to distinguish between benign and malicious use without impacting normal operations.
References
[1] O. M. [mvp], “Persistence using RunOnceEx – Hidden from Autoruns.exe,” Oddvar Moe’s Blog, Mar. 21, 2018. Available: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
[2] B. Toulas, “Chinese hackers use new custom backdoor to evade detection,” BleepingComputer, Mar. 02, 2023. Available: https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-custom-backdoor-to-evade-detection/.
[3] “Identification and Disruption of QakBot Infrastructure,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a.
[4] Joe Security LLC, “Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox,” Joe Security LLC. Available: https://www.joesandbox.com/analysis/776315/0/html.
[5] B. Toulas, “New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux,” BleepingComputer, Jun. 07, 2023. Available: https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/.
[6] “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.” Available: https://attack.mitre.org/techniques/T1547/001/.
[7] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a.
[8] “#StopRansomware: LockBit 3.0,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a.
[9] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. Available: https://github.com/gentilkiwi/mimikatz.
[10] “Empire/Invoke-TokenManipulation.ps1 at master · EmpireProject/Empire,” GitHub. Available: https://github.com/EmpireProject/Empire.
[11] “MAR-10135536-8 – North Korean Trojan: HOPLIGHT,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/analysis-reports/ar19-100a.
[12] B. Toulas, “Qubitstrike attacks rootkit Jupyter Linux servers to steal credentials,” BleepingComputer, Oct. 18, 2023. Available: https://www.bleepingcomputer.com/news/security/qubitstrike-attacks-rootkit-jupyter-linux-servers-to-steal-credentials/.
[13] “[No title].” Available: https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf.
[14] Microsoft Corporation, “Backdoor:Win32/Wingbird.A!dha.” Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha.
[15] B. Toulas, “Hackers use new IceBreaker malware to breach gaming companies,” BleepingComputer, Feb. 01, 2023. Available: https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-malware-to-breach-gaming-companies/.
[16] “[No title].” Available: https://www.cisa.gov/sites/default/files/publications/AA22-083A_TTPs_of_Indicted_State-Sponsored_Russian_Cyber_Actors_Targeting_the_Energy_Sector.pdf.
[17] “Boot or Logon Autostart Execution: Port Monitors.” Available: https://attack.mitre.org/techniques/T1547/010/.
[18] “[No title].” Available: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf.
[19] I. Ilascu, “New PipeMon malware uses Windows print processors for persistence,” BleepingComputer, May 21, 2020. Available: https://www.bleepingcomputer.com/news/security/new-pipemon-malware-uses-windows-print-processors-for-persistence/.
[20] T. Lambert, “Trapping the Netwire RAT on Linux,” Red Canary, Jan. 30, 2020. Available: https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/.
[21] “Boot or Logon Autostart Execution: Login Items.” Available: https://attack.mitre.org/techniques/T1547/015/.
