Boot or Logon Autostart Execution T1547
Tactics: Persistence, Privilege Escalation
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
Events covered
34 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 202 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (95 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1952 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (827 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 72 rules
- Add Port Monitor Persistence in Registry
- Atbroker Registry Change
- Bypass UAC Using Event Viewer
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- Creation Exe for Service with Unquoted Path
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification
- Default RDP Port Changed to Non Standard Port
- Desktop.INI Created by Uncommon Process
- Direct Autorun Keys Modification
- DLL Load via LSASS
- File Creation In Suspicious Directory By Msdt.EXE
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Internet Explorer Autorun Keys Modification
- Kapeka Backdoor Autorun Persistence
- Kernel Extension Loaded from Temporary Directory
- Leviathan Registry Key Activity
- Loading of Kernel Module via Insmod
- macOS Configuration Profile Installation
- MITRE BZAR Indicators for Persistence
- Modify User Shell Folders Startup Value
- Narrator's Feedback-Hub Persistence
- New Custom Shim Database Created
- New RUN Key Pointing to Suspicious Folder
- New TimeProviders Registered With Uncommon DLL Name
- NTFS hard link creation
- NTFS symbolic link configuration change
- NTFS symbolic link creation
- Office Autorun Keys Modification
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potential RipZip Attack on Startup Folder
- Potential Ryuk Ransomware Activity
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Potential Suspicious Activity Using SeCEdit
- Print spooler privilege escalation via printer added (CVE-2020-1048)
- Registry Persistence Mechanisms in Recycle Bin
- Registry Persistence via Explorer Run Key
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- Security package (SSP) added (Reg via command)
- Security package (SSP) loaded into LSA (native)
- Security Support Provider (SSP) Added to LSA Configuration
- Session Manager Autorun Keys Modification
- Startup Folder File Write
- Startup/Logon Script Added to Group Policy Object
- Suspicious Autorun Registry Modified via WMI
- Suspicious Driver Install by pnputil.exe
- Suspicious GrpConv Execution
- Suspicious PowerShell In Registry Run Keys
- Suspicious Run Key from Download
- Suspicious Startup Folder Persistence
- Suspicious VBScript UN2452 Pattern
- System Scripts Autorun Keys Modification
- SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527)
- SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527)
- Unsigned Kernel Extension Load Attempt
- User Shell Folders Registry Modification via CommandLine
- VBScript Payload Stored in Registry
- Windows Event Log Access Tampering Via Registry
- Windows Network Access Suspicious desktop.ini Action
- Windows Terminal Profile Settings Modification By Uncommon Process
- WINEKEY Registry Modification
- Winlogon Helper DLL
- Winlogon Notify Key Logon Persistence
- WinRAR Creating Files in Startup Locations
- WinSock2 Autorun Keys Modification
- Wow6432Node Classes Autorun Keys Modification
- Wow6432Node CurrentVersion Autorun Keys Modification
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Elastic 50 rules
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Authorization Plugin Modification
- BPF Program or Map Load via bpftool
- Creation of Hidden Login Item via Apple Script
- Executable Bit Set for Potential Persistence Script
- Execution of Persistent Suspicious Program
- First Time Seen Driver Loaded
- Installation of Security Support Provider
- KDE AutoStart Script or Desktop File Creation
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load from Unusual Location
- Kernel Module Load via Built-in Utility
- Kernel Module Removal
- Kernel Object File Creation
- Lateral Movement via Startup Folder
- Loadable Kernel Module Configuration File Creation
- Mimikatz Memssp Log File Detected
- Network Connections Initiated Through XDG Autostart Entry
- Persistence via a Hidden Plist Filename
- Persistence via a Windows Installer
- Persistence via DirectoryService Plugin Modification
- Persistence via Docker Shortcut Modification
- Persistence via Hidden Run Key Detected
- Persistence via Suspicious Launch Agent or Launch Daemon
- Persistence via WMI Standard Registry Provider
- Persistent Scripts in the Startup Directory
- Pod or Container Creation with Suspicious Command-Line
- Potential LSA Authentication Package Abuse
- Potential Persistence via File Modification
- Potential Persistence via Login Hook
- Potential Persistence via Mandatory User Profile
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential PowerShell HackTool Script by Function Names
- Potential REMCOS Trojan Execution
- Shortcut File Written or Modified on Startup Folder
- Startup Folder Persistence via Unsigned Process
- Startup or Run Key Registry Modification
- Startup Persistence by a Suspicious Process
- Startup/Logon Script added to Group Policy Object
- Suspicious File Creation via Kworker
- Suspicious Modprobe File Event
- Suspicious Module Loaded by LSASS
- Suspicious Startup Shell Folder Modification
- Suspicious Usage of bpf_probe_write_user Helper
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
- Uncommon Registry Persistence Change
Splunk 61 rules
- Active Setup Registry Autostart
- Add DLL_EXE Registry Value (Sysmon)
- Additional dll added to Spool Driver (Sysmon)
- Additional dll added to Spool Driver (Windows Event Log)
- Execution from Startup Folder (Sysmon)
- Execution from Startup Folder (Windows Event Log)
- File Written to Startup Folder - Windows (Sysmon)
- File Written to Startup Folder - Windows (Windows Event Log)
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd Unload Module Via Modprobe
- Linux File Created In Kernel Driver Directory
- Linux Insert Kernel Module Using Insmod Utility
- Linux Install Kernel Module Using Modprobe Utility
- LSA Authentication Packages Registry Key Modified (PowerShell)
- LSA Authentication Packages Registry Key Modified (Sysmon)
- LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Monitor Registry Keys for Print Monitors
- New AutoRun Registry Key (PowerShell)
- Potential LSA password filter (PowerShell)
- Potential LSA password filter (Windows Event Log)
- Potential Proxy Malware via AutoRun Key (PowerShell)
- Potential Proxy Malware via AutoRun Key (Sysmon)
- Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Print Processor Registry Autostart
- Print Spooler Adding A Printer Driver
- Print Spooler Failed to Load a Plug-in
- Rare dll called by Spoolsv.exe (Windows Event Log)
- Registry Keys Used For Persistence
- Shortcut Created in Startup Folder - Windows (PowerShell)
- Spoolsv Spawning Rundll32
- Spoolsv Suspicious Loaded Modules
- Spoolsv Writing a DLL
- Spoolsv Writing a DLL - Sysmon
- Startup Folder Location Modified - Windows (PowerShell)
- Startup Folder Location Modified - Windows (Sysmon)
- Startup Folder Location Modified - Windows (Windows Event Log)
- Suspicious Registry Key Created (PowerShell)
- Suspicious Registry Key Created (Windows Event Log)
- Symbolic OR Hard File Link Created (PowerShell)
- Symbolic OR Hard File Link Created (Windows Event Log)
- Time Provider Persistence Registry
- Unusual winlogon.exe Child Process (Sysmon)
- Unusual winlogon.exe Child Process (Windows Event Log)
- Windows Audit Policy Auditing Option Modified - Registry
- Windows Autostart Execution LSASS Driver Registry Modification
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows NorthStar C2 Agent Execution
- Windows PowerShell MSIX Package Installation
- Windows Registry BootExecute Modification
- Windows Registry Modification for Safe Mode Persistence
- Windows Security Support Provider Reg Query
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Service Create
- Windows Unsigned MS DLL Side-Loading
- WinLogon Registry Key Modified (PowerShell)
- WinLogon Registry Key Modified (Sysmon)
- Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Kusto 9 rules
- Cross-Cloud Suspicious Compute resource creation in GCP
- Cross-Cloud Suspicious user activity observed in GCP Envourment
- Detect Print Processors Registry Driver Key Creation/Modification
- Detect Registry Run Key Creation/Modification
- Imminent Ransomware
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Powershell Empire Cmdlets Executed in Command Line
- Registry Run Keys - Suspicious Registry Run Keys
YARA-L 9 rules
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- Default RDP Port Changed to Non Standard Port
- Direct Autorun Keys Modification
- Modify User Shell Folders Startup Value
- New RUN Key Pointing to Suspicious Folder
- Potential Suspicious Activity Using SeCEdit
- Session Manager Autorun Keys Modification
- Suspicious Powershell In Registry Run Keys