Boot or Logon Autostart Execution T1547
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Events covered
32 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 154 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (66 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1132 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (512 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 67 rules
- Add Port Monitor Persistence in Registry
- Atbroker Registry Change
- Bypass UAC Using Event Viewer
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- Creation Exe for Service with Unquoted Path
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification
- Default RDP Port Changed to Non Standard Port
- Desktop.INI Created by Uncommon Process
- Direct Autorun Keys Modification
- DLL Load via LSASS
- File Creation In Suspicious Directory By Msdt.EXE
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Internet Explorer Autorun Keys Modification
- Kapeka Backdoor Autorun Persistence
- Leviathan Registry Key Activity
- Modify User Shell Folders Startup Value
- Narrator's Feedback-Hub Persistence
- New Custom Shim Database Created
- New RUN Key Pointing to Suspicious Folder
- New TimeProviders Registered With Uncommon DLL Name
- NTFS hard link creation
- NTFS symbolic link configuration change
- NTFS symbolic link creation
- Office Autorun Keys Modification
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potential RipZip Attack on Startup Folder
- Potential Ryuk Ransomware Activity
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Potential Suspicious Activity Using SeCEdit
- Print spooler privilege escalation via printer added (CVE-2020-1048)
- Registry Persistence Mechanisms in Recycle Bin
- Registry Persistence via Explorer Run Key
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- Security package (SSP) added (Reg via command)
- Security package (SSP) loaded into LSA (native)
- Security Support Provider (SSP) Added to LSA Configuration
- Session Manager Autorun Keys Modification
- Startup Folder File Write
- Startup/Logon Script Added to Group Policy Object
- Suspicious Autorun Registry Modified via WMI
- Suspicious Driver Install by pnputil.exe
- Suspicious GrpConv Execution
- Suspicious PowerShell In Registry Run Keys
- Suspicious Run Key from Download
- Suspicious Startup Folder Persistence
- Suspicious VBScript UN2452 Pattern
- System Scripts Autorun Keys Modification
- SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527)
- SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527)
- User Shell Folders Registry Modification via CommandLine
- VBScript Payload Stored in Registry
- Windows Event Log Access Tampering Via Registry
- Windows Network Access Suspicious desktop.ini Action
- Windows Terminal Profile Settings Modification By Uncommon Process
- WINEKEY Registry Modification
- Winlogon Helper DLL
- Winlogon Notify Key Logon Persistence
- WinRAR Creating Files in Startup Locations
- WinSock2 Autorun Keys Modification
- Wow6432Node Classes Autorun Keys Modification
- Wow6432Node CurrentVersion Autorun Keys Modification
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Elastic 17 rules
- Execution of Persistent Suspicious Program
- Installation of Security Support Provider
- Lateral Movement via Startup Folder
- Persistence via a Windows Installer
- Persistence via Hidden Run Key Detected
- Persistence via WMI Standard Registry Provider
- Potential LSA Authentication Package Abuse
- Potential Persistence via Mandatory User Profile
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential REMCOS Trojan Execution
- Startup Folder Persistence via Unsigned Process
- Startup or Run Key Registry Modification
- Startup/Logon Script added to Group Policy Object
- Suspicious Module Loaded by LSASS
- Suspicious Startup Shell Folder Modification
- Uncommon Registry Persistence Change
Splunk 54 rules
- Active Setup Registry Autostart
- Add DLL_EXE Registry Value (Sysmon)
- Additional dll added to Spool Driver (Sysmon)
- Additional dll added to Spool Driver (Windows Event Log)
- Execution from Startup Folder (Sysmon)
- Execution from Startup Folder (Windows Event Log)
- File Written to Startup Folder - Windows (Sysmon)
- File Written to Startup Folder - Windows (Windows Event Log)
- LSA Authentication Packages Registry Key Modified (PowerShell)
- LSA Authentication Packages Registry Key Modified (Sysmon)
- LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Monitor Registry Keys for Print Monitors
- New AutoRun Registry Key (PowerShell)
- Potential LSA password filter (PowerShell)
- Potential LSA password filter (Windows Event Log)
- Potential Proxy Malware via AutoRun Key (PowerShell)
- Potential Proxy Malware via AutoRun Key (Sysmon)
- Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Print Processor Registry Autostart
- Print Spooler Adding A Printer Driver
- Print Spooler Failed to Load a Plug-in
- Rare dll called by Spoolsv.exe (Windows Event Log)
- Registry Keys Used For Persistence
- Shortcut Created in Startup Folder - Windows (PowerShell)
- Spoolsv Spawning Rundll32
- Spoolsv Suspicious Loaded Modules
- Spoolsv Writing a DLL
- Spoolsv Writing a DLL - Sysmon
- Startup Folder Location Modified - Windows (PowerShell)
- Startup Folder Location Modified - Windows (Sysmon)
- Startup Folder Location Modified - Windows (Windows Event Log)
- Suspicious Registry Key Created (PowerShell)
- Suspicious Registry Key Created (Windows Event Log)
- Symbolic OR Hard File Link Created (PowerShell)
- Symbolic OR Hard File Link Created (Windows Event Log)
- Time Provider Persistence Registry
- Unusual winlogon.exe Child Process (Sysmon)
- Unusual winlogon.exe Child Process (Windows Event Log)
- Windows Audit Policy Auditing Option Modified - Registry
- Windows Autostart Execution LSASS Driver Registry Modification
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows NorthStar C2 Agent Execution
- Windows PowerShell MSIX Package Installation
- Windows Registry BootExecute Modification
- Windows Registry Modification for Safe Mode Persistence
- Windows Security Support Provider Reg Query
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Service Create
- Windows Unsigned MS DLL Side-Loading
- WinLogon Registry Key Modified (PowerShell)
- WinLogon Registry Key Modified (Sysmon)
- Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Kusto 7 rules
- Detect Print Processors Registry Driver Key Creation/Modification
- Detect Registry Run Key Creation/Modification
- Imminent Ransomware
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Powershell Empire Cmdlets Executed in Command Line
- Registry Run Keys - Suspicious Registry Run Keys
YARA-L 9 rules
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- Default RDP Port Changed to Non Standard Port
- Direct Autorun Keys Modification
- Modify User Shell Folders Startup Value
- New RUN Key Pointing to Suspicious Folder
- Potential Suspicious Activity Using SeCEdit
- Session Manager Autorun Keys Modification
- Suspicious Powershell In Registry Run Keys