Esc
Boot or Logon Autostart Execution - T1547
(ATT&CK® Technique)
Definition
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1547["Boot or Logon Autostart Execution"] --> |may-create| SharedLibraryFile["Shared Library File"]; class T1547 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1547 href "/offensive-technique/attack/T1547/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1547["Boot or Logon Autostart Execution"] --> |may-modify| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1547 OffensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";
click T1547 href "/offensive-technique/attack/T1547/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; T1547["Boot or Logon Autostart Execution"] --> |may-modify| UserStartupScriptFile["User Startup Script File"]; class T1547 OffensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile";
click T1547 href "/offensive-technique/attack/T1547/"; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile"; T1547["Boot or Logon Autostart Execution"] --> |modifies| ApplicationConfigurationFile["Application Configuration File"]; class T1547 OffensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile";
click T1547 href "/offensive-technique/attack/T1547/"; click ApplicationConfigurationFile href "/dao/artifact/d3f:ApplicationConfigurationFile"; T1547["Boot or Logon Autostart Execution"] --> |modifies| KernelModule["Kernel Module"]; class T1547 OffensiveTechniqueNode;
class KernelModule ArtifactNode; click KernelModule href "/dao/artifact/d3f:KernelModule";
click T1547 href "/offensive-technique/attack/T1547/"; click KernelModule href "/dao/artifact/d3f:KernelModule"; T1547["Boot or Logon Autostart Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1547 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1547 href "/offensive-technique/attack/T1547/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1547["Boot or Logon Autostart Execution"] --> |modifies| UserLogonInitResource["User Logon Init Resource"]; class T1547 OffensiveTechniqueNode;
class UserLogonInitResource ArtifactNode; click UserLogonInitResource href "/dao/artifact/d3f:UserLogonInitResource";
click T1547 href "/offensive-technique/attack/T1547/"; click UserLogonInitResource href "/dao/artifact/d3f:UserLogonInitResource"; T1547["Boot or Logon Autostart Execution"] --> |may-modify| SymbolicLink["Symbolic Link"]; class T1547 OffensiveTechniqueNode;
class SymbolicLink ArtifactNode; click SymbolicLink href "/dao/artifact/d3f:SymbolicLink";
click T1547 href "/offensive-technique/attack/T1547/"; click SymbolicLink href "/dao/artifact/d3f:SymbolicLink"; T1547["Boot or Logon Autostart Execution"] --> |modifies| SystemServiceSoftware["System Service Software"]; class T1547 OffensiveTechniqueNode;
class SystemServiceSoftware ArtifactNode; click SystemServiceSoftware href "/dao/artifact/d3f:SystemServiceSoftware";
click T1547 href "/offensive-technique/attack/T1547/"; click SystemServiceSoftware href "/dao/artifact/d3f:SystemServiceSoftware"; DecoyFile["Decoy File"] -->
| spoofs | UserStartupScriptFile["User Startup Script File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1547["Boot or Logon Autostart Execution"] ;
class DecoyFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SymbolicLink["Symbolic Link"];
class DecoyFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | KernelModule["Kernel Module"];
class DecoyFile DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ApplicationConfigurationFile["Application Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1547["Boot or Logon Autostart Execution"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1547["Boot or Logon Autostart Execution"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SymbolicLink["Symbolic Link"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1547["Boot or Logon Autostart Execution"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ApplicationConfigurationFile["Application Configuration File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | KernelModule["Kernel Module"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ApplicationConfigurationFile["Application Configuration File"];
FileEviction["File Eviction"] -.->
| may-evict | T1547["Boot or Logon Autostart Execution"] ;
class FileEviction DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | UserStartupScriptFile["User Startup Script File"];
class FileEviction DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SymbolicLink["Symbolic Link"];
class FileEviction DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | KernelModule["Kernel Module"];
class FileEviction DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | KernelModule["Kernel Module"];
FileEncryption["File Encryption"] -.->
| may-harden | T1547["Boot or Logon Autostart Execution"] ;
class FileEncryption DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SymbolicLink["Symbolic Link"];
class FileEncryption DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | UserStartupScriptFile["User Startup Script File"];
class FileEncryption DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ApplicationConfigurationFile["Application Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | SystemServiceSoftware["System Service Software"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1547["Boot or Logon Autostart Execution"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class SystemServiceSoftware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1547["Boot or Logon Autostart Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1547["Boot or Logon Autostart Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SymbolicLink["Symbolic Link"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1547["Boot or Logon Autostart Execution"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ApplicationConfigurationFile["Application Configuration File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserStartupScriptFile["User Startup Script File"];
class LocalFilePermissions DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | KernelModule["Kernel Module"];
class LocalFilePermissions DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ApplicationConfigurationFile["Application Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1547["Boot or Logon Autostart Execution"] ;
class RestoreFile DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | KernelModule["Kernel Module"];
class RestoreFile DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | SymbolicLink["Symbolic Link"];
class RestoreFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1547["Boot or Logon Autostart Execution"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreSoftware["Restore Software"] -->
| restores | SystemServiceSoftware["System Service Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1547["Boot or Logon Autostart Execution"] ;
class RestoreSoftware DefensiveTechniqueNode;
class SystemServiceSoftware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | UserStartupScriptFile["User Startup Script File"];
class RestoreFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1547["Boot or Logon Autostart Execution"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | KernelModule["Kernel Module"];
class FileAnalysis DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ApplicationConfigurationFile["Application Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SymbolicLink["Symbolic Link"];
class FileAnalysis DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
SystemInitConfigAnalysis["System Init Config Analysis"] -.->
| may-detect | T1547["Boot or Logon Autostart Execution"] ;
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | KernelModule["Kernel Module"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1547["Boot or Logon Autostart Execution"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ApplicationConfigurationFile["Application Configuration File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ApplicationConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SymbolicLink["Symbolic Link"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserStartupScriptFile["User Startup Script File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";