Sub-technique: T1547.001 - Registry Run Keys / Startup Folder
Objective: Detect persistence mechanisms using registry run keys or startup folders.
Registry Run Key Modifications
DeviceRegistryEvents
| where RegistryKey has_any ("Run", "RunOnce", "Startup")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName
Purpose: Detect modifications to registry run keys.
Startup Folder File Additions
DeviceFileEvents
| where FolderPath endswith "Startup"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentFileName
Purpose: Monitor new files added to the startup folder.
Detect Registry Changes for Auto-Start Programs
DeviceRegistryEvents
| where RegistryKey has "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
Purpose: Monitor changes to registry keys that control auto-start programs.
Monitor for Suspicious StartUp Folder Activity
DeviceFileEvents
| where FolderPath endswith "Startup"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType
| order by Timestamp desc
Purpose: Detect suspicious file creation in the startup folder.
Detect DLLs Added to Startup
DeviceFileEvents
| where FolderPath endswith "Startup" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType
| order by Timestamp desc
Purpose: Identify DLL files added to startup folders.
Registry Persistence via RunOnce Key
DeviceRegistryEvents
| where RegistryKey has "RunOnce"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName
Purpose: Monitor the RunOnce registry key for persistence.
Detect Hidden Files in Startup Folder
DeviceFileEvents
| where FolderPath endswith "Startup" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType, InitiatingProcessCommandLine
| order by Timestamp desc
Purpose: Identify hidden files in startup folders.
Monitor Registry Modifications by Non-Admins
DeviceRegistryEvents
| where RegistryKey has_any ("Run", "RunOnce", "Startup") and InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
Purpose: Detect registry modifications by non-administrative users.
Detect Changes to Windows Startup Programs
DeviceRegistryEvents
| where RegistryKey has "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
Purpose: Monitor for changes to startup programs in the registry.
Monitor Startup Folder for Script Files
DeviceFileEvents
| where FolderPath endswith "Startup" and (FileName endswith ".bat" or FileName endswith ".vbs" or FileName endswith ".ps1")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc
Purpose: Detect script files added to startup folders.
Last updated