EXPLORE

← Back to Explore

T1037

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. Adversaries may use these scripts to maintain persist...

macOSWindowsLinuxNetwork DevicesESXi

25

Detections

1

Sources

4

Threat Actors

BY SOURCE

25elastic

PROCEDURES (15)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Service3 detections

Auto-extracted: 3 detections for service

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Registry2 detections

Auto-extracted: 2 detections for registry

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Startup1 detections

Auto-extracted: 1 detections for startup

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Startup1 detections

Auto-extracted: 1 detections for startup

Unusual1 detections

Auto-extracted: 1 detections for unusual

Startup1 detections

Auto-extracted: 1 detections for startup

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (4)

APT29 APT41 Rocke UNC3886

DETECTIONS (25)

Chkconfig Service Add

Executable Bit Set for Potential Persistence Script

GenAI Process Accessing Sensitive Files

Message-of-the-Day (MOTD) File Creation

Modification of Persistence Relevant Files Detected via Defend for Containers

Persistence via Folder Action Script

Persistence via Login or Logout Hook

Persistence via WMI Standard Registry Provider

Pod or Container Creation with Suspicious Command-Line

Potential Execution of rc.local Script

Potential Persistence via Atom Init Script Modification

Potential Persistence via File Modification

Potential Persistence via Login Hook

Potential Suspicious File Edit

Process Spawned from Message-of-the-Day (MOTD)

rc.local/rc.common File Creation

Startup/Logon Script added to Group Policy Object

Suspicious Echo or Printf Execution Detected via Defend for Containers

Suspicious Network Activity to the Internet by Previously Unknown Executable

Suspicious rc.local Error Message

Suspicious StartupItem Plist Creation

System V Init Script Created

Systemd-udevd Rule File Creation

Uncommon Registry Persistence Change

Unusual Exim4 Child Process