EXPLORE
Sign In
← Back to Explore
T1547.001

Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. The following run keys are created by default on Windows systems: * <code>HKEY_CURRENT_USER\...

Windows
50
Detections
4
Sources
55
Threat Actors

BY SOURCE

31sigma13elastic5splunk_escu1crowdstrike_cql

PROCEDURES (23)

Registry14 detections

Auto-extracted: 14 detections for registry

Startup3 detections

Auto-extracted: 3 detections for startup

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Persist3 detections

Auto-extracted: 3 detections for persist

Startup3 detections

Auto-extracted: 3 detections for startup

Startup2 detections

Auto-extracted: 2 detections for startup

Service2 detections

Auto-extracted: 2 detections for service

Tamper2 detections

Auto-extracted: 2 detections for tamper

Registry Monitoring2 detections

Auto-extracted: 2 detections for registry monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Registry1 detections

Auto-extracted: 1 detections for registry

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Powershell1 detections

Auto-extracted: 1 detections for powershell

Startup1 detections

Auto-extracted: 1 detections for startup

Startup1 detections

Auto-extracted: 1 detections for startup

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (55)

APT18APT19APT28APT29APT3APT32APT33APT37APT39APT41BlackByteBRONZE BUTLERCobalt GroupConfuciusContagious InterviewDark CaracalDarkhotelDragonflyFIN10FIN13FIN6FIN7Gamaredon GroupGorgon GroupHigaisaInceptionKe3changKimsukyLazarus GroupLazyScripterLeviathanLuminousMothMagic HoundMoleratsMoonstone SleetMuddyWaterMustang PandaNaikonPatchworkPROMETHIUMPutter PandaRedCurlRockeRTMSidewinderSilenceStorm-1811TA2541TeamTNTThreat Group-3390Tropic TrooperTurlaWindshiftWizard SpiderZIRCONIUM

DETECTIONS (50)

Classes Autorun Keys Modification
sigmamedium
Common Autorun Keys Modification
sigmamedium
CurrentControlSet Autorun Keys Modification
sigmamedium
CurrentVersion Autorun Keys Modification
sigmamedium
CurrentVersion NT Autorun Keys Modification
sigmamedium
Direct Autorun Keys Modification
sigmamedium
Execution of Persistent Suspicious Program
elasticmedium
File Creation In Suspicious Directory By Msdt.EXE
sigmahigh
Internet Explorer Autorun Keys Modification
sigmamedium
Lateral Movement via Startup Folder
elastichigh
Modify User Shell Folders Startup Value
sigmahigh
Narrator's Feedback-Hub Persistence
sigmahigh
New RUN Key Pointing to Suspicious Folder
sigmahigh
Office Autorun Keys Modification
sigmamedium
Persistence via a Windows Installer
elasticmedium
Persistence via Hidden Run Key Detected
elastichigh
Persistence via WMI Standard Registry Provider
elastichigh
Persistent Scripts in the Startup Directory
elasticmedium
Potential Persistence Attempt Via Run Keys Using Reg.EXE
sigmamedium
Potential Persistence via Mandatory User Profile
elasticmedium
Potential REMCOS Trojan Execution
elastichigh
Potential Startup Shortcut Persistence Via PowerShell.EXE
sigmahigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
Registry Keys Used For Persistence
splunk_escu
Registry Persistence via Explorer Run Key
sigmahigh
Session Manager Autorun Keys Modification
sigmamedium
Startup Folder File Write
sigmamedium
Startup Folder Persistence via Unsigned Process
elasticmedium
Startup or Run Key Registry Modification
elasticlow
Startup Persistence by a Suspicious Process
elasticmedium
Suspicious Autorun Registry Modified via WMI
sigmahigh
Suspicious PowerShell In Registry Run Keys
sigmamedium
Suspicious Registry Modifications
crowdstrike_cql
Suspicious Run Key from Download
sigmahigh
Suspicious Startup Folder Persistence
sigmahigh
Suspicious Startup Shell Folder Modification
elastichigh
System Scripts Autorun Keys Modification
sigmamedium
Uncommon Registry Persistence Change
elasticmedium
User Shell Folders Registry Modification via CommandLine
sigmahigh
VBScript Payload Stored in Registry
sigmahigh
Windows Boot or Logon Autostart Execution In Startup Folder
splunk_escu
Windows Event Log Access Tampering Via Registry
sigmahigh
Windows PowerShell MSIX Package Installation
splunk_escu
Windows Registry BootExecute Modification
splunk_escu
Windows Registry Modification for Safe Mode Persistence
splunk_escu
WinRAR Creating Files in Startup Locations
sigmahigh
WinSock2 Autorun Keys Modification
sigmamedium
Wow6432Node Classes Autorun Keys Modification
sigmamedium
Wow6432Node CurrentVersion Autorun Keys Modification
sigmamedium
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
sigmamedium