启动或登录自动启动执行

Sub-techniques (5)

ID	Name
T1547.001	注册表混淆存储
T1547.002	合法服务伪装
T1547.003	动态载荷注入
T1547.004	定时任务隐匿
T1547.005	隐蔽驱动加载

启动或登录自动启动执行是攻击者通过操作系统提供的自动执行机制实现持久化驻留的技术，涉及修改注册表、服务配置、计划任务等系统组件。防御方通常通过监控自启动项变更、分析进程创建行为、校验文件签名等方式进行检测，重点关注非常规位置的注册表键值、异常服务属性和未签名驱动加载等特征。

为规避传统检测方法，攻击者发展出多层次匿迹技术，通过存储混淆、行为伪装、内存驻留和内核隐藏等手法重构持久化机制。这些技术突破基于静态特征匹配的检测范式，将恶意组件深度融入系统运行流程，形成"表面合法、动态解密、环境融合"的新型持久化体系。

当前匿迹技术的共性在于构建多维融合的隐蔽执行生态。注册表混淆存储通过加密变形与存储位置伪装突破注册表监控；合法服务伪装实现元数据克隆与进程环境融合；动态载荷注入建立非文件化存储与内存驻留机制；定时任务隐匿利用触发条件随机化与日志清理消除时序特征；隐蔽驱动加载则通过签名伪造与内核隐藏实现权限突破。这些技术共同形成"存储不可读、行为不可辨、痕迹不可溯"的持久化链条，其核心创新在于将传统持久化技术从简单的配置修改升级为系统运行机制的深度寄生。

匿迹技术的演进导致传统基于配置项监控和文件特征检测的防御体系面临失效风险。防御方需构建注册表行为建模、服务关系图谱分析、内存异常行为检测等动态分析能力，并强化驱动签名验证机制与内核完整性保护，实现对隐蔽持久化行为的立体化防御。

ID: T1547

Sub-techniques: T1547.001, T1547.002, T1547.003, T1547.004, T1547.005

ⓘ

Tactics: 入侵维持, 权限提升

ⓘ

Platforms: Linux, Network, Windows, macOS

ⓘ

Permissions Required: Administrator, User, root

Version: 1.2

Created: 23 January 2020

Last Modified: 12 September 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	✅
数据遮蔽	✅
时空释痕	✅

特征伪装

通过精确克隆系统服务属性、伪造计划任务描述信息、使用合法数字签名等手段，将恶意组件伪装成系统合法对象。例如服务伪装技术复制微软服务的DisplayName和Description字段，驱动加载技术利用有效数字签名通过系统验证，使得防御方难以通过表面特征识别异常。

行为透明

动态载荷注入技术利用内存驻留和无文件执行特性，使恶意代码完全脱离传统文件监控视野。内核驱动通过挂钩系统审计回调函数消除行为日志，实现操作系统的"盲区化"攻击，传统基于行为日志分析的检测手段无法有效感知。

数据遮蔽

注册表混淆存储采用多层加密算法保护持久化配置数据，隐蔽驱动加载使用合法证书加密通信内容。加密数据存储与传输有效规避内容审计，即使防御方获取持久化配置信息也无法解析攻击意图。

时空释痕

定时任务技术通过关联系统事件触发和随机化执行间隔，将恶意行为分散在长时间维度。注册表虚拟化技术实现跨用户会话的持久化配置分离，使得攻击痕迹分散在系统多个逻辑层面，传统单时间点快照分析难以关联完整攻击链。

Procedure Examples

ID	Name	Description
S0651	BoxCaon	BoxCaon established persistence by setting the `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load` registry key to point to its executable.^[1]
S0567	Dtrack	Dtrack’s RAT makes a persistent target file with auto execution on the host start.^[2]
S0084	Mis-Type	Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.^[3]
S0083	Misdat	Misdat has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Software\snimtsOleht\StubPath`, `HKCU\Software\Backtsaleht\StubPath`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`.^[3]
S0653	xCaon	xCaon has added persistence via the Registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load` which causes the malware to run each time any user logs in.^[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0027	Driver	Driver Load	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0022	File	File Creation	Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
		File Modification	Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0008	Kernel	Kernel Module Load	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
DS0011	Module	Module Load	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.
DS0009	Process	OS API Execution	Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
		Process Creation	Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
DS0024	Windows Registry	Windows Registry Key Creation	Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.
		Windows Registry Key Modification	Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.