CYBERSECURITY JOB HUNTING GUIDE
T1547 Boot or Logon Autostart Execution
Author: Stefan Waldvogel
LimaCharlie vs. Logon Autostart Execution
Overview:
Description from ATT&CK
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
Local Port
Standard TCP/IP Port
USB Monitor
WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.010 -ShowDetailsBrief
Invoke-AtomicTest T1547.010 -CheckPrereqs
Invoke-AtomicTest T1547.010 -GetPrereqs
Invoke-AtomicTest T1547.010 -TestNumbers 1
Invoke-AtomicTest T1547.010 -Cleanup
Test:
reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
Adds a registry key.
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1547.010 -TestNumbers 1
--> not detected
Description from ATT&CK
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
Local Port
Standard TCP/IP Port
USB Monitor
WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.010 -ShowDetailsBrief
Invoke-AtomicTest T1547.010 -CheckPrereqs
Invoke-AtomicTest T1547.010 -GetPrereqs
Invoke-AtomicTest T1547.010 -TestNumbers 1
Invoke-AtomicTest T1547.010 -Cleanup
Test:
reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
Adds a registry key.
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1547.010 -TestNumbers 1
--> not detected
© 2021. This work is licensed under a CC BY-SA 4.0 license