Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) |
Severity |
Medium |
Description
The Registry group policy keys being read on reboot, this will cause the persistence mechanism to trigger and run the malware.
Attacker's Goals
Gain persistence on the host using the Window's Group Policy Mechanism.
Investigative actions
- Check the registry key and determine what process it'll run.
- Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.