Boot or Logon Autostart Execution¶
What: Boot or Logon Autostart Execution¶
Boot or Logon Autostart Execution refers to a set of techniques that adversaries use to execute malicious software automatically during the system boot or logon process. These techniques are leveraged to maintain persistence and control over a system by ensuring that the malicious code executes every time the system starts up or a user logs in.
How: Techniques and Implementation¶
-
Registry Keys: Windows operating systems use registry keys such as
Run
,RunOnce
,RunServices
, andRunServicesOnce
located in both HKLM (HKEY_LOCAL_MACHINE) and HKCU (HKEY_CURRENT_USER) branches for programs that need to start automatically. Malware can add entries here to ensure execution at startup. -
Startup Folder: Both Windows and Linux systems have startup folders where shortcuts to programs can be placed for automatic execution at user logon.
-
Scheduled Tasks/ Cron Jobs: Windows Task Scheduler and Unix-like cron services can be used to schedule scripts or programs to run at system boot or on a regular schedule, providing another vector for persistent access.
-
System Initialization Scripts: In Unix-like systems, scripts like
/etc/rc.local
, init.d, or systemd units can be modified to execute custom scripts at boot time. -
Windows Services: Malicious services can be created in Windows which start automatically when the system boots.
-
EFI/BIOS Firmware: Malware can reside within firmware, ensuring execution before the OS even loads, making detection difficult.
-
Modification of Existing Legitimate Files: Altering existing legitimate files that are known to be executed automatically during boot or logon processes is another method used.
Where: System Components Involved¶
- Windows Registry
- Startup Directories
- Windows:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Linux:
~/.config/autostart
- Task Scheduler and Cron Tables
- System Service Configuration
- Windows: Service Control Manager
- Linux: systemd, SysVinit
- Firmware
- Boot Loaders like GRUB in Linux.
- File System Locations where scripts or binaries might be placed for execution.
Why: Motivations Behind Using These Techniques¶
- Persistence: Ensuring that the malware survives reboots and continues operating without requiring re-infection.
- Stealth: Many autostart methods allow malware to operate without immediate detection by hiding its presence as part of legitimate processes or mimicking legitimate applications.
- Privilege Escalation: Some autostart methods can exploit vulnerabilities during the boot process or leverage higher privileges that some components have at startup.
- Control & Surveillance: Continuous control over a compromised system allows for ongoing data exfiltration, surveillance, and further exploitation activities.
This detailed breakdown covers how adversaries exploit autostart mechanisms across different operating systems for persistence and control, utilizing various components of the system architecture from firmware up through application-level configurations.