This is about … .
Autostart
MITRE: https://attack.mitre.org/techniques/T1547/
Some autostart utilities run under elevated privileges. So, it’s pesistence + escalation.
Techniques:
- Registry Run Keys / Startup Folder
- Windows
- the current user is
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup(default) - all users is
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp(default) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run(default)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce(default)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run(when specified in the policy settings)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run(when specified in the policy settings)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windowsrun when any user logs on.- multistring
BootExecutevalue of the registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manageris set toautocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. - Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\with the key value of"Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. - Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. - Registry entries in
HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\andHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\are used to manage additional helper programs and functionalities that support Winlogon.Winlogon\Notify- points to notification package DLLs that handle Winlogon eventsWinlogon\Userinit- points to userinit.exe, the user initialization program executed when a user logs onWinlogon\Shell- points to explorer.exe, the system shell executed when a user logs on
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages,HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages- load into LSA space, meaning having access to unencrypted password info.
- the current user is
- Windows
-
Kernel modules and extentions. UNIX