Common Information
| Type | Value |
|---|---|
| Value |
Active Setup - T1547.014 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level. Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016) Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2019-05-24 | 400 | Threat Roundup for May 17 to May 24 | ||
| Details | Website | 2019-04-19 | 570 | Threat Roundup for April 12 to April 19 | ||
| Details | Website | 2018-10-05 | 337 | Threat Roundup Sept 28 - Oct 5 | ||
| Details | Website | 2018-09-13 | 0 | Install Azure File Sync (AFS) | ||
| Details | Website | 2018-07-20 | 111 | Threat Roundup for July 13-20 | ||
| Details | Website | 2018-02-09 | 168 | Threat Round Up for Feb 2 - Feb 9 | ||
| Details | Website | 2018-02-09 | 168 | Threat Round Up for Feb 2 - Feb 9 | ||
| Details | Website | 2017-02-22 | 6 | Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government | Mandiant | ||
| Details | Website | 2016-11-22 | 157 | Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy | ||
| Details | Website | 2015-03-26 | 7 | Detecting PowerShell Malware Hacking - It's popular, so you better start doing this! | ||
| Details | Website | 2015-03-04 | 68 | Who’s Really Spreading through the Bright Star? | ||
| Details | Website | 2014-09-03 | 12 | ALDIBOT - Threat Encyclopedia | ||
| Details | Website | 2013-10-14 | 26 | PE_MOFKSYS.A - Threat Encyclopedia | ||
| Details | Website | 2012-11-07 | 38 | Finding An Infection Vector After IT Cleaned the System | ||
| Details | Website | 2012-10-11 | 59 | Solving the GrrCon Network Forensics Challenge with Volatility | ||
| Details | Website | 2011-07-14 | 53 | Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org | ||
| Details | Website | 2011-05-05 | 13 | Setting up Cerberus RAT(Remote Administration tool) | ||
| Details | Website | 2010-04-22 | 6 | Active Setup Explained • Helge Klein | ||
| Details | Website | 2008-05-06 | 41 | May 6, 2008 Poison Ivy EXE RSIS Commentary from RSISPubllcation@NTU.EDU.SG |