Boot or Logon Autostart Execution
Run code automatically at boot or logon.
§ Where this technique fits
T1547 is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 5 on average.
Authoritative reference: attack.mitre.org/techniques/T1547/.
§ Dossiers chaining this technique
- step 3 / 6
LogoFAIL → UEFI bootkit → persistent ring-0
Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.
- step 3 / 5
LaunchDaemon persistence as root
Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.
- step 6 / 6
OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
- step 6 / 6
Rowhammer → bit flip → in-browser sandbox escape
JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.
- step 7 / 7
V8 type-confusion 1-day → renderer RCE
Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.
§ What commonly comes next
- 01SecureBoot Bypassseen 1×FW-SECUREBOOT-BYPASS · Defense Evasion
- 02Valid Accountsseen 1×T1078 · Initial Access