Which SIEM platforms have a T1547 detection rule?

df00tech provides T1547 (Boot or Logon Autostart Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1547 detection?

The T1547 detection is rated high severity with medium confidence.

What are common false positives for T1547?

Common false positives for T1547 include: Software installations that register legitimate autostart entries in Run keys; Windows Updates or Group Policy changes modifying Winlogon or Shell Folders registry keys; Print driver installations that add legitimate port monitors or print processors.

T1547

Boot or Logon Autostart Execution

Q: What data sources are required to detect Boot or Logon Autostart Execution (T1547)?

Detecting Boot or Logon Autostart Execution requires the following data sources: Windows Registry: Windows Registry Key Modification, Windows Registry: Windows Registry Key Creation, Microsoft Defender for Endpoint.

Persistence Privilege Escalation Last updated: April 20, 2026

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon, including automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

What is T1547 Boot or Logon Autostart Execution?

Boot or Logon Autostart Execution (T1547) maps to the Persistence and Privilege Escalation tactics — the adversary is trying to maintain their foothold in MITRE ATT&CK.

This page provides production-ready detection logic for Boot or Logon Autostart Execution, covering the data sources and telemetry it touches: Windows Registry: Windows Registry Key Modification, Windows Registry: Windows Registry Key Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1547 Boot or Logon Autostart Execution
Canonical reference: https://attack.mitre.org/techniques/T1547/

Microsoft Sentinel / Defender

kusto

let RunKeyPaths = dynamic([
  "\\CurrentVersion\\Run",
  "\\CurrentVersion\\RunOnce",
  "\\CurrentVersion\\RunOnceEx",
  "\\CurrentVersion\\RunServices",
  "\\CurrentVersion\\RunServicesOnce",
  "\\CurrentVersion\\Policies\\Explorer\\Run",
  "\\CurrentVersion\\Winlogon",
  "\\Active Setup\\Installed Components",
  "\\Control\\Lsa\\Authentication Packages",
  "\\Control\\Lsa\\Security Packages",
  "\\Control\\Print\\Monitors",
  "\\Control\\Print\\Environments",
  "\\Services\\W32Time\\TimeProviders",
  "\\CurrentVersion\\Explorer\\Shell Folders",
  "\\CurrentVersion\\Explorer\\User Shell Folders"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RunKeyPaths)
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

Broad detection for modifications to any Windows autostart registry locations including Run/RunOnce keys, Winlogon helpers, Active Setup, LSA packages, print monitors, and time providers. Uses DeviceRegistryEvents from Microsoft Defender for Endpoint to catch registry value sets and key creations across all known boot/logon autostart persistence paths.

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Software installations that register legitimate autostart entries in Run keys
Windows Updates or Group Policy changes modifying Winlogon or Shell Folders registry keys
Print driver installations that add legitimate port monitors or print processors
Enterprise IT tools (SCCM, Intune, GPO) deploying startup configurations

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "RegistryKey",
  "RegistryValueName",
  "RegistryValueData",
  "ProcessName",
  "ProcessCommandLine",
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND qid IN (
    SELECT qid FROM QIDmap WHERE name LIKE '%Registry%'
  )
  AND LOWER("RegistryKey") MATCHES '.*\\(currentversion\\run|currentversion\\runonce|currentversion\\runonceex|currentversion\\runservices|currentversion\\runservicesonce|currentversion\\policies\\explorer\\run|currentversion\\winlogon|active setup\\installed components|control\\lsa|control\\print\\monitors|control\\print\\environments|services\\w32time\\timeproviders|explorer\\shell folders|explorer\\user shell folders).*'
  AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY devicetime DESC

Detects creation and modification of Windows autostart registry keys associated with T1547 persistence techniques. Queries Windows Security Event Log and Sysmon sources in QRadar for registry events targeting Run keys, Winlogon, LSA packages, Print Monitors, and Shell Folder paths.

high severity medium confidence

Data Sources

Windows Security Event Log (via QRadar WinCollect) Sysmon operational log forwarded to QRadar

Required Tables

events

False Positives

Software deployment tools such as SCCM or Intune may write to RunOnce keys to schedule post-reboot installation steps, generating high volumes of benign alerts during patch cycles
Security agents (EDR, antivirus) frequently register themselves in HKLM Run keys upon installation or version upgrade, which will match this detection
Legitimate IT automation scripts (PowerShell DSC, Ansible) managing Winlogon notification packages or LSA security packages will match when run by privileged accounts

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("12", "13", "14", "4657")
| where TargetObject matches "*\\CurrentVersion\\Run*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnce*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnceEx*"
  OR TargetObject matches "*\\CurrentVersion\\RunServices*"
  OR TargetObject matches "*\\CurrentVersion\\RunServicesOnce*"
  OR TargetObject matches "*\\CurrentVersion\\Policies\\Explorer\\Run*"
  OR TargetObject matches "*\\CurrentVersion\\Winlogon*"
  OR TargetObject matches "*\\Active Setup\\Installed Components*"
  OR TargetObject matches "*\\Control\\Lsa\\Authentication Packages*"
  OR TargetObject matches "*\\Control\\Lsa\\Security Packages*"
  OR TargetObject matches "*\\Control\\Print\\Monitors*"
  OR TargetObject matches "*\\Control\\Print\\Environments*"
  OR TargetObject matches "*\\Services\\W32Time\\TimeProviders*"
  OR TargetObject matches "*\\Explorer\\Shell Folders*"
  OR TargetObject matches "*\\Explorer\\User Shell Folders*"
| eval action = if(EventID == "12", "KeyCreated", if(EventID == "13", "ValueSet", if(EventID == "14", "KeyRenamed", "RegistryModified")))
| fields _messageTime, Computer, action, TargetObject, Details, Image, User
| sort by _messageTime desc

Detects Sysmon registry events (EventID 12/13/14) and Windows Security Event 4657 targeting known autostart execution registry paths used in T1547 persistence. Covers Run keys, Winlogon, LSA authentication/security packages, Print Monitors, and Explorer Shell Folders.

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows source (EventID 12, 13, 14) Windows Security log via Sumo Logic (EventID 4657)

Required Tables

windows/sysmon windows/security

False Positives

Windows Update and Windows Installer (msiexec.exe) routinely modify RunOnce keys to schedule cleanup or completion tasks after patch installation, producing high false positive volumes during Patch Tuesday windows
Enterprise software such as Microsoft Teams, Zoom, or Slack silently adds or updates Run key entries for auto-launch on user login, generating benign events at scale
IT asset management and remote support tools (e.g., Dameware, Bomgar) may register themselves in Winlogon notification packages and Active Setup keys during deployment

Google Chronicle / SecOps

yaral

rule t1547_boot_logon_autostart_registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects registry creation or modification events targeting Windows boot/logon autostart execution locations (T1547). Covers Run keys, RunOnce, Winlogon, LSA package registration, Print Monitor DLL paths, and Shell Folder redirections."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1547"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Run(Once(Ex)?|Services(Once)?)?\\`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Policies\\Explorer\\Run`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Active Setup\\Installed Components`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Lsa\\(Authentication|Security) Packages`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Print\\(Monitors|Environments)`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Services\\W32Time\\TimeProviders`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Explorer\\(User )?Shell Folders`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting REGISTRY_MODIFICATION events on Windows autostart execution registry key paths associated with T1547. Matches registry writes to Run keys, Winlogon entries, LSA packages, Print Monitors, W32Time providers, and Shell Folder redirections via UDM normalized registry telemetry.

high severity high confidence

Data Sources

Windows endpoint telemetry via Chronicle Forwarder (Sysmon or EDR) Google Chronicle UDM REGISTRY_MODIFICATION events

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives

Scheduled system tasks and Windows components (e.g., Task Scheduler, Windows Defender) modify Winlogon-related keys during normal operation, particularly after cumulative updates
Application virtualisation platforms (App-V, VMware ThinApp) manipulate Shell Folder registry values as part of app launch sequencing, generating benign matches
Print server administrators deploying print monitor DLLs for enterprise printing solutions (Pharos, PaperCut) will write to Control\Print\Monitors during driver provisioning

Sigma rule & cross-platform mapping

The detection logic for Boot or Logon Autostart Execution (T1547) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1547 Sigma rules on detection.fyi

Platform-specific guides for T1547

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add Registry Run Key for Persistence
Expected signal: Sysmon Event ID 13: Registry value set on HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'df00tech-test'. DeviceRegistryEvents with ActionType 'RegistryValueSet'.
Test 2Drop File in Startup Folder
Expected signal: Sysmon Event ID 11: FileCreate in the Startup directory. DeviceFileEvents with ActionType 'FileCreated' in the Startup folder path.
Test 3Modify Winlogon Shell Value
Expected signal: Sysmon Event ID 13: Registry value set on Winlogon\Shell. DeviceRegistryEvents with RegistryKey containing 'Winlogon' and RegistryValueName 'Shell'.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1547 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0003Persistence TA0004Privilege Escalation

Sub-techniques (14)

Related Techniques

T1547.001Registry Run Keys / Startup Folder T1547.004Winlogon Helper DLL T1547.002Authentication Package T1547.005Security Support Provider T1547.014Active Setup T1037Boot or Logon Initialization Scripts T1543Create or Modify System Process T1053.005Scheduled Task T1574Hijack Execution Flow T1112Modify Registry

Boot or Logon Autostart Execution

What is T1547 Boot or Logon Autostart Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1547

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (14)

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1547 Boot or Logon Autostart Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1547

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (14)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox