T1547

Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may inc...

LinuxmacOSWindowsNetwork Devices

Detections

Sources

Threat Actors

BY SOURCE

48elastic7sigma1splunk_escu

PROCEDURES (37)

Registry5 detections

Auto-extracted: 5 detections for registry

Persist4 detections

Auto-extracted: 4 detections for persist

Kernel4 detections

Auto-extracted: 4 detections for kernel

Startup3 detections

Auto-extracted: 3 detections for startup

Kernel3 detections

Auto-extracted: 3 detections for kernel

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Startup2 detections

Auto-extracted: 2 detections for startup

Privilege2 detections

Auto-extracted: 2 detections for privilege

Evasion2 detections

Auto-extracted: 2 detections for evasion

Tamper1 detections

Auto-extracted: 1 detections for tamper

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Driver1 detections

Auto-extracted: 1 detections for driver

Api1 detections

Auto-extracted: 1 detections for api

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Remote1 detections

Auto-extracted: 1 detections for remote

Startup1 detections

Auto-extracted: 1 detections for startup

Startup1 detections

Auto-extracted: 1 detections for startup

Privilege1 detections

Auto-extracted: 1 detections for privilege

Driver1 detections

Auto-extracted: 1 detections for driver

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (1)

APT42

DETECTIONS (56)

Atbroker Registry Change

sigmamedium

Attempt to Unload Elastic Endpoint Security Kernel Extension