SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Persistence (TA0003)

Sub-technique: T1547.001 - Registry Run Keys / Startup Folder

Objective: Detect persistence mechanisms using registry run keys or startup folders.

  1. Registry Run Key Modifications

DeviceRegistryEvents
| where RegistryKey has_any ("Run", "RunOnce", "Startup")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName

Purpose: Detect modifications to registry run keys.

  1. Startup Folder File Additions

DeviceFileEvents
| where FolderPath endswith "Startup"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentFileName

Purpose: Monitor new files added to the startup folder.

  1. Detect Registry Changes for Auto-Start Programs

DeviceRegistryEvents
| where RegistryKey has "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

Purpose: Monitor changes to registry keys that control auto-start programs.

  1. Monitor for Suspicious StartUp Folder Activity

DeviceFileEvents
| where FolderPath endswith "Startup"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType
| order by Timestamp desc

Purpose: Detect suspicious file creation in the startup folder.

  1. Detect DLLs Added to Startup

DeviceFileEvents
| where FolderPath endswith "Startup" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType
| order by Timestamp desc

Purpose: Identify DLL files added to startup folders.

  1. Registry Persistence via RunOnce Key

DeviceRegistryEvents
| where RegistryKey has "RunOnce"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName

Purpose: Monitor the RunOnce registry key for persistence.

  1. Detect Hidden Files in Startup Folder

DeviceFileEvents
| where FolderPath endswith "Startup" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType, InitiatingProcessCommandLine
| order by Timestamp desc

Purpose: Identify hidden files in startup folders.

  1. Monitor Registry Modifications by Non-Admins

DeviceRegistryEvents
| where RegistryKey has_any ("Run", "RunOnce", "Startup") and InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName

Purpose: Detect registry modifications by non-administrative users.

  1. Detect Changes to Windows Startup Programs

DeviceRegistryEvents
| where RegistryKey has "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName

Purpose: Monitor for changes to startup programs in the registry.

  1. Monitor Startup Folder for Script Files

DeviceFileEvents
| where FolderPath endswith "Startup" and (FileName endswith ".bat" or FileName endswith ".vbs" or FileName endswith ".ps1")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, ActionType, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

Purpose: Detect script files added to startup folders.

PreviousExecution (TA0002)NextPrivilege Escalation (TA0004)

Last updated