Active Setup (T1547.014)

Information

• Name: Active Setup

• ID: T1547.014

• Tactics: ,

• Technique:

Introduction

Active Setup () is a sub-technique within MITRE ATT&CK's Persistence category, specifically under Boot or Logon Autostart Execution. Active Setup is a Windows mechanism designed to execute commands once per user upon logon, typically used to configure user-specific settings or applications. Attackers leverage Active Setup to establish persistence by ensuring malicious code executes automatically each time a new user logs into the compromised system.

Deep Dive Into Technique

Active Setup is a Windows operating system feature primarily intended for software configuration tasks that require user-specific settings to be applied upon initial login. It works by comparing registry keys between the system-wide (machine) and user-specific hives. If a user's Active Setup registry key does not match the corresponding system-wide key, Windows executes the associated command and then synchronizes the keys.

Technical details:

• Active Setup utilizes registry keys located in:

  • Machine-wide settings: HKLM\Software\Microsoft\Active Setup\Installed Components\{GUID}

  • User-specific settings: HKCU\Software\Microsoft\Active Setup\Installed Components\{GUID}

• Each Active Setup component is represented by a unique GUID (Globally Unique Identifier).

• The registry values typically involved include:

  • StubPath: Defines the executable command or script to run during user logon.

  • Version: Determines if synchronization between machine-wide and user-specific keys is required.

  • IsInstalled: Indicates whether the Active Setup component is enabled (usually set to 1).

Attackers exploit Active Setup by inserting malicious commands or scripts into the StubPath registry value under the machine-wide Active Setup registry key. When a new user logs into the system, Windows detects the mismatch between the user's registry key and the machine-wide Active Setup key, causing the malicious command to execute automatically.

Common execution methods and mechanisms include:

• Executing malicious scripts (PowerShell, batch scripts, VBScript).

• Launching malware executables placed in non-standard directories.

• Leveraging legitimate system utilities (such as "rundll32.exe" or "msiexec.exe") to run malicious payloads.

• Utilizing Active Setup to execute persistence payloads that re-establish command-and-control (C2) channels or maintain backdoor access.

When this Technique is Usually Used

Attackers typically employ Active Setup persistence during various stages of an attack lifecycle, notably:

• Persistence Stage: After initial compromise, attackers use Active Setup to maintain long-term access, ensuring their malicious payload executes upon user logon.

• Privilege Escalation: If attackers have administrative privileges, they can configure Active Setup to execute malicious commands for all new users logging into the system, potentially escalating their influence across multiple user accounts.

• Lateral Movement: Attackers may use Active Setup to propagate malicious code across multiple user profiles on a single compromised system, ensuring persistence even if some user accounts are cleaned or reset.

• Defense Evasion: Active Setup is a legitimate Windows feature, making it less suspicious to defenders and allowing attackers to blend malicious activities with normal system operations.

How this Technique is Usually Detected

Detection of Active Setup exploitation involves monitoring specific registry keys and analyzing logon events. Common detection methods, tools, and indicators include:

• Registry Monitoring:

  • Monitor changes to registry keys under HKLM\Software\Microsoft\Active Setup\Installed Components\{GUID}.

  • Detect unexpected modifications or additions to the StubPath registry value.

• Endpoint Detection and Response (EDR) Tools:

  • Tools such as Microsoft Defender for Endpoint, CrowdStrike Falcon, Carbon Black, and SentinelOne can monitor registry changes and execution of suspicious commands during user logon.

• Process Creation Logs:

  • Monitor Windows event logs (Event ID 4688) and Sysmon logs (Event ID 1) for processes spawned by Active Setup during user logon.

  • Identify unusual executables or scripts launched from uncommon directories or temporary folders.

• Indicators of Compromise (IoCs):

  • Registry entries with unusual or randomly generated GUIDs under Active Setup paths.

  • Suspicious executable paths or scripts referenced in StubPath values.

  • Unexpected network connections or file creations immediately following user logon events.

Why it is Important to Detect This Technique

Early detection of malicious Active Setup activities is critical due to the following potential impacts:

• Long-term Persistence:

  • Attackers can maintain persistent access to compromised systems, repeatedly executing malicious payloads upon user logon without attracting immediate suspicion.

• Privilege Escalation:

  • Malicious Active Setup configurations can allow attackers to execute commands with elevated privileges or target multiple user accounts, increasing the scope and severity of compromise.

• Stealth and Defense Evasion:

  • Active Setup is a legitimate Windows feature, making malicious activities harder to detect and attribute without proper monitoring and detection mechanisms.

• Risk of Data Exfiltration and System Compromise:

  • Persistent access enables attackers to continuously access sensitive data, install additional malware, or pivot to other systems within the network.

• Operational and Financial Impacts:

  • Undetected persistence can lead to prolonged compromise, resulting in increased remediation costs, business disruption, and potential regulatory or compliance violations.

Examples

Real-world scenarios illustrating Active Setup exploitation include:

• APT41 (Winnti Group):

  • Known to leverage Active Setup persistence mechanisms to execute malicious payloads during user logon.

  • Used Active Setup registry keys to launch malicious DLL files via "rundll32.exe", enabling persistent backdoor access and data exfiltration.

• FIN7 Group:

  • Utilized Active Setup to execute JavaScript-based malware payloads upon user logon.

  • Inserted malicious scripts into StubPath registry values, enabling persistent command-and-control (C2) communication.

• TrickBot Malware:

  • Employed Active Setup persistence mechanisms by modifying registry keys to execute malicious payloads, ensuring the malware maintained persistence across user sessions.

• Emotet Malware:

  • Leveraged Active Setup to execute malicious scripts or executables upon user login, maintaining persistent foothold on infected systems and facilitating lateral movement.

Typical tools and methods used by attackers include:

• Malicious scripts (PowerShell, VBScript, JavaScript) executed via Active Setup.

• Legitimate Windows utilities (e.g., "rundll32.exe", "msiexec.exe") to execute malicious DLLs or payloads.

• Custom malware payloads specifically designed to exploit Active Setup mechanisms.

Impacts observed in these scenarios:

• Persistent remote access and control over compromised systems.

• Data exfiltration of sensitive corporate or personal information.

• Deployment of secondary payloads such as ransomware, banking trojans, or credential stealers.

• Increased difficulty in remediation efforts due to persistent footholds established via Active Setup.