T1547 Boot or Logon Autostart Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RunKeyPaths = dynamic([
  "\\CurrentVersion\\Run",
  "\\CurrentVersion\\RunOnce",
  "\\CurrentVersion\\RunOnceEx",
  "\\CurrentVersion\\RunServices",
  "\\CurrentVersion\\RunServicesOnce",
  "\\CurrentVersion\\Policies\\Explorer\\Run",
  "\\CurrentVersion\\Winlogon",
  "\\Active Setup\\Installed Components",
  "\\Control\\Lsa\\Authentication Packages",
  "\\Control\\Lsa\\Security Packages",
  "\\Control\\Print\\Monitors",
  "\\Control\\Print\\Environments",
  "\\Services\\W32Time\\TimeProviders",
  "\\CurrentVersion\\Explorer\\Shell Folders",
  "\\CurrentVersion\\Explorer\\User Shell Folders"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RunKeyPaths)
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Software installations that register legitimate autostart entries in Run keys
Windows Updates or Group Policy changes modifying Winlogon or Shell Folders registry keys
Print driver installations that add legitimate port monitors or print processors
Enterprise IT tools (SCCM, Intune, GPO) deploying startup configurations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
  (TargetObject="*\\CurrentVersion\\Run*"
   OR TargetObject="*\\CurrentVersion\\Policies\\Explorer\\Run*"
   OR TargetObject="*\\CurrentVersion\\Winlogon*"
   OR TargetObject="*\\Active Setup\\Installed Components*"
   OR TargetObject="*\\Control\\Lsa\\*"
   OR TargetObject="*\\Control\\Print\\Monitors*"
   OR TargetObject="*\\Control\\Print\\Environments*"
   OR TargetObject="*\\Services\\W32Time\\TimeProviders*"
   OR TargetObject="*\\Explorer\\Shell Folders*"
   OR TargetObject="*\\Explorer\\User Shell Folders*")
| eval action=case(EventCode=12, "KeyCreated", EventCode=13, "ValueSet", EventCode=14, "KeyRenamed")
| table _time, host, action, TargetObject, Details, Image, User
| sort - _time

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installations that register legitimate autostart entries in Run keys
Windows Updates or Group Policy changes modifying Winlogon or Shell Folders registry keys
Print driver installations that add legitimate port monitors or print processors
Enterprise IT tools (SCCM, Intune, GPO) deploying startup configurations

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change") and registry.path : (
  "*\\CurrentVersion\\Run\\*",
  "*\\CurrentVersion\\RunOnce\\*",
  "*\\CurrentVersion\\RunOnceEx\\*",
  "*\\CurrentVersion\\RunServices\\*",
  "*\\CurrentVersion\\RunServicesOnce\\*",
  "*\\CurrentVersion\\Policies\\Explorer\\Run\\*",
  "*\\CurrentVersion\\Winlogon\\*",
  "*\\Active Setup\\Installed Components\\*",
  "*\\Control\\Lsa\\Authentication Packages",
  "*\\Control\\Lsa\\Security Packages",
  "*\\Control\\Print\\Monitors\\*",
  "*\\Control\\Print\\Environments\\*",
  "*\\Services\\W32Time\\TimeProviders\\*",
  "*\\CurrentVersion\\Explorer\\Shell Folders\\*",
  "*\\CurrentVersion\\Explorer\\User Shell Folders\\*"
)

high severity high confidence

Data Sources

Windows Registry via Elastic Agent / Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate software installers (e.g., antivirus, enterprise agents, Microsoft Office) routinely write to Run and RunOnce keys during installation or update cycles
Group Policy application may rewrite Winlogon and Shell Folder registry values during policy refresh, especially at login or machine startup
Print driver installation by administrators writes to Control\Print\Monitors and Environments registry paths, triggering alerts during driver deployment

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "RegistryKey",
  "RegistryValueName",
  "RegistryValueData",
  "ProcessName",
  "ProcessCommandLine",
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND qid IN (
    SELECT qid FROM QIDmap WHERE name LIKE '%Registry%'
  )
  AND LOWER("RegistryKey") MATCHES '.*\\(currentversion\\run|currentversion\\runonce|currentversion\\runonceex|currentversion\\runservices|currentversion\\runservicesonce|currentversion\\policies\\explorer\\run|currentversion\\winlogon|active setup\\installed components|control\\lsa|control\\print\\monitors|control\\print\\environments|services\\w32time\\timeproviders|explorer\\shell folders|explorer\\user shell folders).*'
  AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (via QRadar WinCollect) Sysmon operational log forwarded to QRadar

Required Tables

events

False Positives

Software deployment tools such as SCCM or Intune may write to RunOnce keys to schedule post-reboot installation steps, generating high volumes of benign alerts during patch cycles
Security agents (EDR, antivirus) frequently register themselves in HKLM Run keys upon installation or version upgrade, which will match this detection
Legitimate IT automation scripts (PowerShell DSC, Ansible) managing Winlogon notification packages or LSA security packages will match when run by privileged accounts

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("12", "13", "14", "4657")
| where TargetObject matches "*\\CurrentVersion\\Run*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnce*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnceEx*"
  OR TargetObject matches "*\\CurrentVersion\\RunServices*"
  OR TargetObject matches "*\\CurrentVersion\\RunServicesOnce*"
  OR TargetObject matches "*\\CurrentVersion\\Policies\\Explorer\\Run*"
  OR TargetObject matches "*\\CurrentVersion\\Winlogon*"
  OR TargetObject matches "*\\Active Setup\\Installed Components*"
  OR TargetObject matches "*\\Control\\Lsa\\Authentication Packages*"
  OR TargetObject matches "*\\Control\\Lsa\\Security Packages*"
  OR TargetObject matches "*\\Control\\Print\\Monitors*"
  OR TargetObject matches "*\\Control\\Print\\Environments*"
  OR TargetObject matches "*\\Services\\W32Time\\TimeProviders*"
  OR TargetObject matches "*\\Explorer\\Shell Folders*"
  OR TargetObject matches "*\\Explorer\\User Shell Folders*"
| eval action = if(EventID == "12", "KeyCreated", if(EventID == "13", "ValueSet", if(EventID == "14", "KeyRenamed", "RegistryModified")))
| fields _messageTime, Computer, action, TargetObject, Details, Image, User
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows source (EventID 12, 13, 14) Windows Security log via Sumo Logic (EventID 4657)

Required Tables

windows/sysmon windows/security

False Positives

Windows Update and Windows Installer (msiexec.exe) routinely modify RunOnce keys to schedule cleanup or completion tasks after patch installation, producing high false positive volumes during Patch Tuesday windows
Enterprise software such as Microsoft Teams, Zoom, or Slack silently adds or updates Run key entries for auto-launch on user login, generating benign events at scale
IT asset management and remote support tools (e.g., Dameware, Bomgar) may register themselves in Winlogon notification packages and Active Setup keys during deployment

Google Chronicle / SecOps

yaral

rule t1547_boot_logon_autostart_registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects registry creation or modification events targeting Windows boot/logon autostart execution locations (T1547). Covers Run keys, RunOnce, Winlogon, LSA package registration, Print Monitor DLL paths, and Shell Folder redirections."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1547"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Run(Once(Ex)?|Services(Once)?)?\\`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Policies\\Explorer\\Run`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Active Setup\\Installed Components`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Lsa\\(Authentication|Security) Packages`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Print\\(Monitors|Environments)`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Services\\W32Time\\TimeProviders`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Explorer\\(User )?Shell Folders`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows endpoint telemetry via Chronicle Forwarder (Sysmon or EDR) Google Chronicle UDM REGISTRY_MODIFICATION events

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives

Scheduled system tasks and Windows components (e.g., Task Scheduler, Windows Defender) modify Winlogon-related keys during normal operation, particularly after cumulative updates
Application virtualisation platforms (App-V, VMware ThinApp) manipulate Shell Folder registry values as part of app launch sequencing, generating benign matches
Print server administrators deploying print monitor DLLs for enterprise printing solutions (Pharos, PaperCut) will write to Control\Print\Monitors during driver provisioning

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "AsepValueDelete"
| regex(field=RegistryPath, regex="(?i)(CurrentVersion\\\\Run(Once(Ex)?|Services(Once)?)?|CurrentVersion\\\\Policies\\\\Explorer\\\\Run|CurrentVersion\\\\Winlogon|Active Setup\\\\Installed Components|Control\\\\Lsa\\\\(Authentication|Security) Packages|Control\\\\Print\\\\(Monitors|Environments)|Services\\\\W32Time\\\\TimeProviders|Explorer\\\\(User )?Shell Folders)")
| table([@timestamp, ComputerName, event_simpleName, RegistryPath, RegistryValueName, RegistryValueData, ImageFileName, CommandLine, UserName])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR — AsepValueUpdate, AsepValueDelete events

Required Tables

AsepValueUpdate AsepValueDelete

False Positives

CrowdStrike Falcon itself and other EDR/AV products register entries in Run keys or Active Setup during sensor updates and initial deployment, generating benign ASEP events
Legitimate application updates (browsers, productivity suites) modify their own Run key entries to update executable paths after version upgrades, typically from signed updater processes
Microsoft Office Click-to-Run and similar subscription software deployment mechanisms write to Active Setup and RunOnce keys during installation and upgrade sequences

Boot or Logon Autostart Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (14)

Same Tactic: Persistence

Popular Detections