249. Adversaries Use Active Setup for Persistence
Hello everyone! Today we'll talk about another persistence mechanism, which is not commonly used by adversaries. I'm talking about Boot or Logon Autostart Execution: Active Setup (T1547.014) . I spotted threat actors use it reading this report on NightshadeC2 . The adversary created a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and set a malicious value for StubPath . The ky is commonly used by web browser updaters and some other legitimate software, so make sure to tune the query properly: event_type: "registryvaluesetwin" AND reg_key_path: ("Active Setup" AND "StubPath") AND NOT reg_value_data: ("edge" OR "chrome" OR "yandex" OR "brave" OR "citrixenterprisebrowser" OR "acrobat" OR "chromium" OR "contentreader") See you tomorrow!