TH16118
Detected presence of software components that can change the system startup sequence.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Operating systems provide multiple integration points for applications to insert themselves in the system startup sequence. Startup sequence is executed in its entirety each time the computer system powers on. For that reason, attackers typically try to register their malicious code in the system startup sequence. When malicious code is registered to start with the operating system, it achieves persistence, as it becomes permanently installed. While the presence of code that modifies the system startup sequence does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only applications that require constant background operation should consider installing themselves as a part of the startup sequence. One exemption to this recommendation would include running the application after the first system reboot to complete the software installation.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1547.001 - Registry Run Keys/Startup Folder.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1547.001 - Registry Run Keys/Startup Folder (External resource - Mitre ATT&CK documentation)
- Booting (External resource - Wikipedia)