Boot or Logon Autostart Execution T1547

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Events covered

32 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 5Process terminated
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4622A security package has been loaded by the Local Security Authority.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4660An object was deleted.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4664An attempt was made to create a hard link.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Security-AuditingEvent ID 6416A new external device was recognized by the system.
Defender-DeviceRegistryEventsanyRegistry activity (any)
Defender-DeviceRegistryEventsRegistryKeyDeletedRegistry key deleted
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
Defender-DeviceRegistryEventsRegistryValueDeletedRegistry value deleted
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PrintServiceEvent ID 316Printer driver param1 for param2 param3 was added or updated.
PrintServiceEvent ID 808The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode.
PrintServiceEvent ID 4909Print Service event 4909 (manifest stub).
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 154 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (66 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
TargetObject57contains 36, ends_with 20, wildcard 10, regex_match 2, eq 1\software\microsoft\windows\currentversion\run, \software\microsoft\windows\currentversion\policies\explorer\run, \\software\\microsoft\\windows\\currentversion\\policies\..., \\software\\microsoft\\windows\\currentversion\\run, \\software\\wow6432node\\microsoft\\windows\\currentversion\\run
Details39eq 19, contains 13, ends_with 10, is_null 8, starts_with 4, length_compare 2, is_not_null 1, regex_match 1(Empty), .dll, -encodedcommand , -noni , -noninteractive
Image39ends_with 27, eq 16, starts_with 9, contains 4, is_null 2, regex_match 2, wildcard 1\reg.exe, \appdata\roaming\spotify\spotify.exe, \net.exe, \net1.exe, \officeclicktorun.exe
EventID38eq 384104, 4688, 4103, 13, 1
CommandLine22contains 20, regex_match 2, in 1, match 1 add , /cfg, /configure, /db, execute
TargetFilename20contains 12, ends_with 5, wildcard 5, starts_with 2, eq 1, regex_match 1\start menu\programs\startup\, ?:\programdata\microsoft\windows\start menu\programs\startup\*, ?:\users\*\appdata\roaming\microsoft\windows\start..., \\spool\\drivers\\x64\\, \microsoft\windows\start menu\programs\startup
event.type14eq 12, in 2, ne 1change, creation, deletion, start
process_name11eq 8, match 2, in 1(?i)\qmicrosoft\windows\start menu\programs\startup\e, spoolsv.exe, explorer.exe, msiexec.exe, mstsc.exe
registry_path11contains 7, ends_with 2, in 2, regex_match 1*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*, *SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*, *\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt, *\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt, HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z...
EventType8eq 6, in 2RegistryValueSet, RegistryKeyCreated, DeleteValue, RenameKey, SetValue
OriginalFileName8eq 7, in 1reg.exe, cscript.exe, installutil.exe, msbuild.exe, northstarstager.exe
Type8eq 8
parent_process_name7eq 2, match 2, regex_match 2, in 1(?i)\QMicrosoft\Windows\Start Menu\Programs\StartUp\E, (?i)winlogon\.exe, cmd.exe, excel.exe, explorer.exe
registry_value_name6eq 5, in 1*\\Common Files\\*.dll, *\\Common Files\\*.exe, *\\Temp\\*.dll, AuditBaseDirectories, AuditBaseObjects
AccessList3contains 3%%4417, addsubdirectory, appenddata, delete

Top indicator values (1132 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Detailseq
(Empty)
1424
EventIDeq
4104
10268
EventIDeq
4688
10312
EventIDeq
4103
6105
EventIDeq
13
422
EventIDeq
1
3232
EventIDeq
11
323
EventIDeq
12
39
event.typeeq
change
946
Detailsends_with
.dll
58
Imageends_with
\officeclicktorun.exe
511
Imageends_with
\reg.exe
460
Imageends_with
\powershell.exe
3186
Imageends_with
\pwsh.exe
3172
Imagestarts_with
c:\program files\common files\microsoft shared\clicktorun\
58
Imagestarts_with
c:\program files\common files\microsoft shared\clicktorun\updates\
45
Imageeq
c:\program files (x86)\microsoft office\root\integration\integrator.exe
47
Imageeq
c:\program files\microsoft office\root\integration\integrator.exe
47
Imageeq
c:\windows\system32\msiexec.exe
312
Imageeq
c:\windows\system32\poqexec.exe
37
TargetObjectcontains
\software\microsoft\windows\currentversion\policies\explorer\run
44
TargetObjectcontains
\software\microsoft\windows\currentversion\run
44
CommandLinecontains
add
315
CommandLinecontains
\software\microsoft\windows\currentversion\policies\explorer\run
33
CommandLinecontains
\software\microsoft\windows\currentversion\run
34
CommandLinecontains
\software\wow6432node\microsoft\windows\currentversion\run
33
CommandLinecontains
execute
35
CommandLinecontains
regread
35
CommandLinecontains
window.close
35
Detailscontains
powershell
310

Exclusions (512 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
(Empty)
17
Detailseq
cpwmon64_v40.dll
3
Detailseq
ctfmon.exe /n
3
Detailseq
{472083B0-C522-11CF-8763-00608CC02F24}
3
Detailseq
C:\Windows\SYSTEM32\w32time.DLL
2
Imageends_with
\officeclicktorun.exe
5
Imagestarts_with
c:\program files\common files\microsoft shared\clicktorun\
5
Imagestarts_with
c:\program files\common files\microsoft shared\clicktorun\updates\
4
Imageeq
c:\program files (x86)\microsoft office\root\integration\integrator.exe
4
Imageeq
c:\program files\microsoft office\root\integration\integrator.exe
4
Imageeq
c:\windows\system32\msiexec.exe
3
Imageeq
c:\windows\system32\poqexec.exe
3
user.ideq
S-1-5-18
3
Detailscontains
rundll32.exe
2
Detailsends_with
.exe" /burn.runonce
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 67 rules

Elastic 17 rules

Splunk 54 rules

Kusto 7 rules

YARA-L 9 rules