MITRE ATT&CK
Boot or Logon Autostart persistence involves modifying Windows settings to execute malicious code when the system starts or a user logs in. This is often achieved through registry keys or startup folders. Attackers use this method to maintain access even after a reboot.
How Attackers Use It
- Registry Keys: Attackers add malicious executables or scripts to registry locations that execute at startup, such as:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (Persists for all users)HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (Persists for the current user)HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce (Executes once at next reboot)
- Startup Folder: Dropping a malicious executable or script into:
%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ (User-level persistence)%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ (System-wide persistence)
Detection
⭐Windows Event Logs:
- Event ID 4688 – Tracks process creation; useful for detecting execution from suspicious startup locations.
- Event ID 4657 – Monitors registry value modifications (requires registry auditing).
⭐ Sysmon:
- Event ID 12 – Registry object creation/modification (tracks Run key changes).
- Event ID 13 – Registry value modifications (Detects changes to
Run/RunOnce keys).
- Event ID 1 – Process creation (Helps identify execution of startup programs).
Threat Hunting
- Monitor new entries in common persistence registry keys (Run, RunOnce)
- Track file creation and modifications in user and system Startup folders
- Correlate registry changes with unknown or suspicious process execution
- Investigate unsigned or anomalous binaries running from startup locations
- Review RunOnce keys for stealthy one-time execution malware
Splunk Query