Boot or Logon Autostart Execution is a persistence technique where an adversary configures malware or malicious scripts to automatically execute during system boot or user logon. This ensures the payload survives reboots, logoffs, and often user remediation attempts.
This technique is formally documented by MITRE ATT&CK under Persistence and often overlaps with Privilege Escalation and Defense Evasion.
Technical Overview
At a low level, operating systems provide startup extensibility points to launch legitimate services, drivers, or user applications. Attackers abuse these mechanisms by:
- Dropping a payload on disk (EXE, DLL, script, driver)
- Registering it with a startup mechanism
- Allowing the OS to launch it automatically on boot/logon
Execution can occur:
- Before user login (boot-level persistence)
- At user logon (user-context persistence)
- With elevated privileges (services, drivers, scheduled tasks)
Common Autostart Mechanisms (By OS)
Windows Autostart Locations
1. Registry Run Keys
Executed when a user logs in.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\...\RunOnce
HKLM\...\RunOnce
- Payloads execute with user context
- HKLM requires admin privileges
- Common for commodity malware
2. Startup Folder
Files placed here execute on logon.
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- Executables, shortcuts, scripts supported
- Simple but noisy persistence
3. Windows Services
Malware registers as a service.
HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>
- Starts at boot (before login)
- Can run as SYSTEM
- Often used by advanced threats and ransomware
4. Scheduled Tasks
Configured with triggers such as:
At startupAt logon
schtasks /create /sc onlogon /tn <name> /tr <payload>
- Can be hidden
- Supports SYSTEM execution
- Widely abused due to flexibility
5. DLL Search Order Hijacking
Malicious DLL placed where a legitimate app loads it at startup.
- No registry modification required
- Stealthy
- Often paired with autostart applications
Linux Autostart Mechanisms
1. systemd Services
/etc/systemd/system/malicious.service- Enabled via:
systemctl enable malicious.service- Executes at boot
- Often runs as root
2. Cron Jobs
@reboot /path/to/payload.shLocations:
/etc/crontab
/var/spool/cron/
3. Shell Profile Scripts
Executed on login:
~/.bashrc
~/.bash_profile
/etc/profile
macOS Autostart Mechanisms
- Launch Agents (user-level)
- Launch Daemons (system-level)
~/Library/LaunchAgents/
/Library/LaunchDaemons/
Defined using .plist files with:
<key>RunAtLoad</key>
<true/>
Why Attackers Use This Technique
- Persistence across reboots
- Minimal user interaction
- Blends with legitimate startup behavior
- Enables long-term access
- Often required for ransomware, RATs, and loaders
Indicators of Compromise (IOCs)
File-System IOCs
- Unexpected executables in:
- Startup folders
/etc/systemd/system/~/Library/LaunchAgents/
- Recently created binaries with startup timestamps
Registry IOCs (Windows)
- Suspicious entries in:
Run,RunOnceServices
- Randomized or masquerading names (e.g.,
WindowsUpdateSvc)
Process & Behavioral IOCs
- Unknown processes spawning at boot/logon
- Unsigned binaries running as SYSTEM/root
- Parent process anomalies (e.g.,
services.exespawning user apps)
Command-Line IOCs
- Use of:
schtasks
sc create
reg add ...\Run
systemctl enable
crontab -e
Detection & Monitoring
Endpoint Detection
- Monitor startup-related registry keys
- File integrity monitoring on startup paths
- Alert on new scheduled tasks or services
Log Sources
- Windows Event Logs:
- Event ID 4697 (service install)
- Event ID 106 (scheduled task)
- Linux:
/var/log/syslogjournalctl
- macOS:
- Unified Logs (
log show)
- Unified Logs (
Incident Response (IR) Playbook
1. Identification
- Confirm unauthorized autostart entries
- Correlate with suspicious binaries or network activity
2. Containment
- Disable service/task
- Remove network access if active C2 detected
- Preserve artifacts for forensics
3. Eradication
- Delete malicious binaries
- Remove registry keys / cron jobs / plist files
- Reset compromised credentials
4. Recovery
- Rebuild system if rootkit or boot-level persistence suspected
- Re-enable only verified startup entries
- Apply patches and hardening
5. Lessons Learned
- Tighten startup execution controls
- Improve EDR rules for persistence detection
- Audit admin privilege usage
Summary Table (Technical Mapping)
| Category | Details |
|---|---|
| ATT&CK ID | T1547 |
| Tactic | Persistence |
| Trigger Time | Boot, User Logon |
| Privilege Level | User / SYSTEM / Root |
| Common OS | Windows, Linux, macOS |
| Typical Artifacts | Registry keys, services, cron jobs, plist files |
| Detection Difficulty | Low → High (depends on method) |
| Common Malware | RATs, ransomware, loaders |
| Key Defense | Startup monitoring, EDR, least privilege |
