Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Generic Persistence Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Uncommon execution of an executable found in an early startup stage.
Attacker's Goals
- Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup.
- Attackers aim to get persistence to continue operating even after a reboot.
Investigative actions
- Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.
Variations
Execution of an uncommon process at an early startup stage with suspicious characteristicsExecution of an uncommon process at an early startup stage with uncommon characteristics