This is about … .
Autostart
MITRE: https://attack.mitre.org/techniques/T1547/
Some autostart utilities run under elevated privileges. So, it’s pesistence + escalation.
Techniques:
- Registry Run Keys / Startup Folder
- Windows
- the current user is
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
(default) - all users is
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
(default) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(default)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run when any user logs on.- multistring
BootExecute
value of the registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set toautocheck autochk *
. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. - Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
with the key value of"Authentication Packages"=<target binary>
. The binary will then be executed by the system when the authentication packages are loaded. - Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\
. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. - Registry entries in
HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
andHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
are used to manage additional helper programs and functionalities that support Winlogon.Winlogon\Notify
- points to notification package DLLs that handle Winlogon eventsWinlogon\Userinit
- points to userinit.exe, the user initialization program executed when a user logs onWinlogon\Shell
- points to explorer.exe, the system shell executed when a user logs on
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
,HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
- load into LSA space, meaning having access to unencrypted password info.
- the current user is
- Windows
-
Kernel modules and extentions. UNIX