T1547.001 Defined ATT&CK T1547.001 ↗

Boot/Logon Autostart Execution: Registry Run Keys

Process Create RegistryKey — Create or modify a Windows registry autostart key to cause attacker-controlled code to execute at boot or logon.

Ontological Definition

ActorProcess

→

ActionCreate

→

ArtifactRegistryKey

Detect

STP 5

The autostart key path is fixed and finite. A rule matching reg_key.path against known autostart locations with activity_id = Create/Set is STP 5 and tool-agnostic.

Gate on

activity_id = Create or Set

Maintain an allowlist of expected autostart entries per system baseline. Alert on any Create or Set activity to autostart key paths not in the baseline, regardless of actor process.

Mitigate

STP 3

Restricting write access to autostart registry keys to privileged accounts reduces the attacker population that can use the technique, but does not block it for an attacker who already holds sufficient privilege.

D3FEND controls

d3f:SystemConfigurationPermissions

No STP 5 mitigation exists. Detection is the primary defensive lever.

Apply ACLs to autostart registry locations restricting writes to SYSTEM and administrators. Application control preventing unknown binaries from executing is a complementary STP 5 control on the execution side.

Respond

Created

A new artifact was created and may persist beyond this session. Delete it immediately. Check for related persistence entries, scheduled tasks, and outbound callbacks originating from it.

Attacker foothold

Writing Processactor.process

Running Accountactor.user

D3FEND response actions

d3f:ProcessTerminationd3f:AccountLockingd3f:NetworkIsolation

OCSF event model▼

Event class: Registry Key Activity (201001) · activity_id: Create or Set

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Registry Key Activity\n· Create or Set"])

  actor_process["Writing Process\nactor.process\nd3f:Process"]:::attacker
  actor_user["Running Account\nactor.user\nd3f:UserAccount"]:::attacker
  reg_key["Autostart Registry Key\nreg_key\nd3f:RegistryKey"]:::victim
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  actor_process --> actor_user
  EVENT --> reg_key
  EVENT --> device

  actor_process -.->|"writes autostart entry to"| reg_key

Writing Process

actor.process·d3f:Process

attacker-controlled

actor.process.file.path attacker_controlled Process writing the key (reg.exe, PowerShell, etc.) — Execution Medium, attacker-chosen

Countermeasures

d3f:ProcessTermination

Running Account

actor.user·d3f:UserAccount

attacker-controlled

Countermeasures

d3f:AccountLocking

Autostart Registry Key

reg_key·d3f:RegistryKey

victim

`reg_key.path`	variable	Autostart key path — victim-side, constrained to a finite known set by Windows
`reg_key.value`	attacker_controlled	Payload path written into the autostart entry — attacker-chosen

Countermeasures

d3f:SystemConfigurationPermissions

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Boot/Logon Autostart Execution: Registry Run Keys (T1547.001)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Registry Key Activity (201001)
detection:
  selection:
    activity_id: 'Create or Set'
  condition: selection

title: Boot/Logon Autostart Execution: Registry Run Keys (T1547.001) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  category: registry_event
detection:
  # All events of this logsource type match the technique definition.
  # Add variable or attacker-controlled field conditions to narrow for operational use.
  filter_all: '*'
  condition: filter_all

Execution Medium–scoped detectionSTP 3 ceiling▼

Sample rules — not canonical definitions. Each constrains detection to a specific Execution Medium and has a hard STP 3 ceiling. The attacker switches Execution Medium; the rule misses. Compare with the definitional rule above.

STP 3

Gating on actor.process.file.name = reg.exe has a hard STP 3 ceiling. Evaded by using PowerShell, a custom binary, or any other process that can call RegSetValueEx. The autostart key write is unchanged.

title: Registry Run Keys — reg.exe CLI medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects reg.exe writing to a Run or RunOnce autostart
  key. Evaded by switching to PowerShell, a custom binary, or any other Execution Medium.
logsource:
  product: ocsf
  category: Registry Key Activity (201001)
detection:
  selection:
    activity_id:
      - 'Create'
      - 'Set'
    reg_key.key|contains:
      - '\CurrentVersion\Run'
      - '\CurrentVersion\RunOnce'
    actor.process.file.name: 'reg.exe'
  condition: selection

STP 3

Same STP 3 ceiling as reg.exe. Evaded by switching to reg.exe, a compiled binary, or any other Execution Medium. Neither rule covers the other.

title: Registry Run Keys — PowerShell medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects PowerShell writing to autostart registry
  locations. Evaded by switching to reg.exe, a custom binary, or any other Execution Medium.
logsource:
  product: ocsf
  category: Registry Key Activity (201001)
detection:
  selection:
    activity_id:
      - 'Create'
      - 'Set'
    reg_key.key|contains:
      - '\CurrentVersion\Run'
      - '\CurrentVersion\RunOnce'
    actor.process.file.name: 'powershell.exe'
  condition: selection

STP 3

A catch-all that excludes known-good software paths. STP 3 because the filter baseline is environment-specific and the attacker can place their binary anywhere that is in the allowed list. Highest false-positive rate of the three.

title: Registry Run Keys — direct API / unknown binary medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects any process not in a known-good path list
  writing to autostart registry locations. Requires environment-specific baselining.
logsource:
  product: ocsf
  category: Registry Key Activity (201001)
detection:
  selection:
    activity_id:
      - 'Create'
      - 'Set'
    reg_key.key|contains:
      - '\CurrentVersion\Run'
      - '\CurrentVersion\RunOnce'
  filter_known:
    actor.process.file.path|startswith:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
      - 'C:\Windows\'
  condition: selection and not filter_known

Seen in the wild1report▼

Cloud Atlas 2026: New Backdoors, Kerberoasting, and Tor Tunneling ↗

Kaspersky·2026-05-22

VBCloud backdoor establishes persistence by writing the main loader path to HKCU\Software\Microsoft\Windows\CurrentVersion\Run under the key YandexBrowser_setup — a textbook Registry Run Key persistence instance.