Startup Items (T1037.005)
Startup Items [T1037.005]
Last updated
Startup Items [T1037.005]
Last updated
Name: Startup Items
ID: T1037.005
Tactics: ,
Technique:
Startup Items (T1037.005) is a sub-technique under the Persistence tactic within the MITRE ATT&CK framework. It describes adversaries leveraging startup items, such as login scripts, startup folders, and other configuration settings, to achieve persistence on compromised systems. By placing malicious executables, scripts, or shortcuts into startup locations, adversaries ensure their malicious payloads execute automatically during system boot or user login, maintaining long-term presence and persistence without requiring additional user interaction.
Startup Items involve placing malicious executables or scripts into specific directories or configuration settings that automatically execute when a system or user session starts. Attackers commonly exploit the following methods to establish persistence via Startup Items:
Windows Startup Folder:
Located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for individual user persistence.
Located at %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup for system-wide persistence.
Attackers place executables, shortcuts, or scripts in these folders, ensuring automatic execution upon user login.
Registry Keys:
Attackers may leverage registry keys such as:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Entries in these keys execute automatically during user login or system startup.
Scheduled Tasks:
Attackers may create scheduled tasks configured to execute at user login or system startup.
Tasks can be hidden from normal view and configured to execute without user consent or interaction.
Login Scripts:
Scripts configured via Active Directory Group Policy Objects (GPO) or local group policy settings.
Attackers may modify or add scripts to execute malicious payloads upon login.
MacOS/Linux Startup Items:
MacOS: Malicious items placed into /Library/StartupItems/, /Library/LaunchAgents/, or /Library/LaunchDaemons/.
Linux: Malicious scripts inserted into /etc/init.d/, /etc/rc.d/, or user-specific startup files such as ~/.bashrc, ~/.profile, or ~/.bash_profile.
Attackers frequently combine Startup Items with other techniques such as obfuscation, privilege escalation, or script-based execution to evade detection and maintain persistent access.
Attackers commonly leverage Startup Items during the following attack scenarios and stages:
Initial Persistence:
Immediately after initial compromise to ensure persistent access even if the original access vector is closed.
Privilege Escalation:
Combining persistence with privilege escalation techniques to execute malicious payloads with high privileges on system startup.
Long-term Persistence:
Ensuring continued access for prolonged espionage operations, data exfiltration, or network reconnaissance.
Ransomware Attacks:
Ensuring ransomware payload execution on every startup or login, maximizing impact and recovery complexity.
Advanced Persistent Threat (APT) Campaigns:
Maintaining stealthy, continuous access for espionage, intellectual property theft, or targeted attacks.
Detection methods and tools for identifying malicious Startup Items include:
File System Monitoring:
Monitor known startup folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup) for unauthorized files or scripts.
Registry Monitoring:
Use tools such as Sysinternals Autoruns, OSQuery, or EDR solutions to detect suspicious modifications to registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled Task Monitoring:
Regularly audit scheduled tasks using Windows Task Scheduler or PowerShell commands (Get-ScheduledTask) to identify suspicious or unauthorized tasks configured at startup or login.
Endpoint Detection and Response (EDR) Solutions:
Employ advanced EDR solutions capable of monitoring and alerting on startup item modifications, anomalous scripts, and unauthorized persistence mechanisms.
SIEM and Log Analysis:
Analyze system logs and security events regularly for indicators of compromise (IoCs) related to startup item modifications, such as:
Unusual file creations or modifications in startup directories.
Registry change events logged by Windows Event Logs.
Unexpected scheduled task creations.
Behavioral Analysis and Threat Hunting:
Conduct proactive threat hunting activities to identify anomalous startup behaviors, unusual processes, or suspicious execution paths.
Specific Indicators of Compromise (IoCs):
Unrecognized or unsigned executables/scripts in startup folders.
Suspicious registry entries pointing to uncommon or obfuscated file locations.
Scheduled tasks with unusual names, descriptions, or execution commands.
Unusual login scripts or unauthorized modifications to group policy scripts.
Early detection of malicious Startup Items is critical due to the following potential impacts on systems and networks:
Persistent Access:
Attackers can maintain long-term, stealthy access, increasing the risk of data exfiltration, espionage, or lateral movement.
Privilege Escalation:
Malicious startup entries may execute payloads with elevated privileges, facilitating further compromise and control over critical system functions.
Data Exfiltration and Intellectual Property Theft:
Persistent attackers can continuously steal sensitive data, intellectual property, or credentials, causing significant damage to an organization.
System Stability and Performance Issues:
Malicious startup items can degrade system performance, cause crashes, or introduce instability, affecting operational efficiency and productivity.
Ransomware and Data Destruction:
Persistent ransomware payloads executed at startup can encrypt critical data repeatedly, complicating recovery efforts and increasing remediation costs.
Stealth and Detection Evasion:
Early detection prevents attackers from establishing stealthy persistence that evades standard security controls, minimizing dwell time and potential damage.
Real-world examples illustrating the use of Startup Items (T1037.005) include:
TrickBot Malware:
TrickBot banking trojan uses startup folders and registry entries to maintain persistence, ensuring it executes upon system reboot or user login.
Impact: Credential theft, financial fraud, lateral movement, and further malware deployment.
Emotet Malware:
Emotet places malicious executables into startup folders and creates registry autorun entries to persist across reboots, enabling continuous data exfiltration and malware delivery.
Impact: Credential harvesting, spam campaigns, ransomware delivery, and network compromise.
APT29 (Cozy Bear):
Known to leverage scheduled tasks and registry startup entries to maintain persistent access to compromised systems.
Impact: Espionage, intellectual property theft, sensitive data exfiltration.
FIN7 Criminal Group:
Utilized malicious startup scripts and tasks to persistently deploy malware payloads on compromised retail and hospitality networks.
Impact: Theft of payment card information, financial loss, reputational damage.
DarkSide Ransomware:
Created startup registry entries and scheduled tasks to ensure ransomware payload execution on every system reboot, complicating recovery efforts.
Impact: Data encryption, ransom demands, operational disruption, financial and reputational harm.
These examples demonstrate the wide range of adversaries—from financially motivated cybercriminals to state-sponsored APT groups—that rely on startup items to achieve persistent, stealthy access and maximize their operational impact.