T1547.001 Registry Run Keys / Startup Folder Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RunKeyPaths = dynamic([
  "\\CurrentVersion\\Run",
  "\\CurrentVersion\\RunOnce",
  "\\CurrentVersion\\RunOnceEx",
  "\\CurrentVersion\\RunServices",
  "\\CurrentVersion\\RunServicesOnce",
  "\\CurrentVersion\\Policies\\Explorer\\Run",
  "\\Windows NT\\CurrentVersion\\Windows",
  "\\Control\\Session Manager"
]);
let TrustedProcesses = dynamic(["msiexec.exe", "TrustedInstaller.exe", "TiWorker.exe", "ccmexec.exe", "MpSigStub.exe"]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (RunKeyPaths)
| where InitiatingProcessFileName !in~ (TrustedProcesses)
| extend SuspiciousPath = RegistryValueData has_any ("\\Temp\\", "\\AppData\\Local\\Temp", "\\Downloads\\", "\\Public\\", "$Recycle.Bin", "\\ProgramData\\")
| extend SuspiciousExt = RegistryValueData has_any (".vbs", ".js", ".bat", ".cmd", ".ps1", ".hta", ".wsh", ".wsf")
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName,
         SuspiciousPath, SuspiciousExt
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Legitimate software installations that add Run key entries (antivirus, VPN clients, cloud sync tools like OneDrive, Dropbox)
Enterprise deployment tools (SCCM, Intune, PDQ Deploy) adding startup entries for managed software
User-installed utilities that register themselves for auto-start (Discord, Spotify, Steam)
IT automation scripts that configure startup programs as part of endpoint provisioning

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
  (TargetObject="*\\CurrentVersion\\Run*"
   OR TargetObject="*\\CurrentVersion\\Policies\\Explorer\\Run*"
   OR TargetObject="*\\CurrentVersion\\RunServices*"
   OR TargetObject="*\\Windows NT\\CurrentVersion\\Windows\\load*"
   OR TargetObject="*\\Control\\Session Manager\\BootExecute*")
  NOT (Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\TiWorker.exe" OR Image="*\\ccmexec.exe")
| eval action=case(EventCode=12, "KeyCreated", EventCode=13, "ValueSet", EventCode=14, "KeyRenamed")
| eval SuspiciousPath=if(match(Details, "(?i)(\\\\Temp\\\\|\\\\Downloads\\\\|\\\\Public\\\\|Recycle\\.Bin)"), 1, 0)
| eval ScriptType=if(match(Details, "(?i)\.(vbs|js|bat|cmd|ps1|hta|wsh|wsf)"), 1, 0)
| eval RiskScore=SuspiciousPath + ScriptType
| table _time, host, action, TargetObject, Details, Image, User, SuspiciousPath, ScriptType, RiskScore
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installations that add Run key entries (antivirus, VPN clients, cloud sync tools)
Enterprise deployment tools (SCCM, Intune, PDQ Deploy) adding startup entries
User-installed utilities that register themselves for auto-start
IT automation scripts configuring startup programs during endpoint provisioning

Elastic Security (EQL)

eql

registry where event.action in ("registry_value_set", "registry_key_created") and
  registry.path : (
    "*\\CurrentVersion\\Run\\*",
    "*\\CurrentVersion\\RunOnce\\*",
    "*\\CurrentVersion\\RunOnceEx\\*",
    "*\\CurrentVersion\\RunServices\\*",
    "*\\CurrentVersion\\RunServicesOnce\\*",
    "*\\CurrentVersion\\Policies\\Explorer\\Run\\*",
    "*\\Windows NT\\CurrentVersion\\Windows\\load",
    "*\\Control\\Session Manager\\BootExecute"
  ) and
  not process.name : ("msiexec.exe", "TrustedInstaller.exe", "TiWorker.exe", "ccmexec.exe", "MpSigStub.exe") and
  (
    registry.data.strings : (
      "*\\Temp\\*",
      "*\\AppData\\Local\\Temp\\*",
      "*\\Downloads\\*",
      "*\\Public\\*",
      "*Recycle.Bin*",
      "*\\ProgramData\\*"
    ) or
    registry.data.strings : (
      "*.vbs",
      "*.js",
      "*.bat",
      "*.cmd",
      "*.ps1",
      "*.hta",
      "*.wsh",
      "*.wsf"
    )
  )

high severity high confidence

Data Sources

Windows Registry via Elastic Endpoint or Winlogbeat with Sysmon

Required Tables

registry

False Positives

Legitimate software installers (e.g., Spotify, Slack, Teams) that register themselves in HKCU Run keys during installation — especially when the installer runs from a user Downloads folder
IT management or endpoint agents (Tanium, CrowdStrike, Carbon Black) updating their own run key entries from paths that may temporarily match Temp or ProgramData patterns
Developer tools such as JetBrains IDE updaters or Node.js-based apps that install helper scripts with .js extension in run keys
Windows Group Policy application writing entries under Policies\Explorer\Run via gpupdate as part of expected policy deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "username" AS User,
  "RegistryKey",
  "RegistryValueName",
  "RegistryValueData",
  "Image" AS ProcessImage,
  "CommandLine",
  sourceip,
  CASE
    WHEN "RegistryValueData" ILIKE '%\\Temp\\%'
      OR "RegistryValueData" ILIKE '%\\Downloads\\%'
      OR "RegistryValueData" ILIKE '%\\Public\\%'
      OR "RegistryValueData" ILIKE '%Recycle.Bin%'
      OR "RegistryValueData" ILIKE '%\\ProgramData\\%'
    THEN 1 ELSE 0
  END AS SuspiciousPath,
  CASE
    WHEN LOWER("RegistryValueData") SIMILAR TO '%.vbs%|%.js%|%.bat%|%.cmd%|%.ps1%|%.hta%|%.wsh%|%.wsf%'
    THEN 1 ELSE 0
  END AS ScriptExt
FROM events
WHERE LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) IN ('Registry Value Set', 'Registry Key Created', 'Registry Key Renamed')
  AND (
    "RegistryKey" ILIKE '%\\CurrentVersion\\Run%'
    OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunOnce%'
    OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunOnceEx%'
    OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunServices%'
    OR "RegistryKey" ILIKE '%\\CurrentVersion\\Policies\\Explorer\\Run%'
    OR "RegistryKey" ILIKE '%\\Windows NT\\CurrentVersion\\Windows%'
    OR "RegistryKey" ILIKE '%\\Control\\Session Manager\\BootExecute%'
  )
  AND "Image" NOT ILIKE '%\\msiexec.exe'
  AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
  AND "Image" NOT ILIKE '%\\TiWorker.exe'
  AND "Image" NOT ILIKE '%\\ccmexec.exe'
  AND "Image" NOT ILIKE '%\\MpSigStub.exe'
  AND (
    "RegistryValueData" ILIKE '%\\Temp\\%'
    OR "RegistryValueData" ILIKE '%\\Downloads\\%'
    OR "RegistryValueData" ILIKE '%\\Public\\%'
    OR "RegistryValueData" ILIKE '%Recycle.Bin%'
    OR "RegistryValueData" ILIKE '%\\ProgramData\\%'
    OR LOWER("RegistryValueData") SIMILAR TO '%.vbs%|%.js%|%.bat%|%.cmd%|%.ps1%|%.hta%|%.wsh%|%.wsf%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Sysmon via Windows Event Log forwarding to QRadar (LOGSOURCETYPEID 12) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Third-party antivirus or endpoint security products updating their own Run key entries from ProgramData subdirectories during definition or engine updates
Enterprise software deployment tools (IBM BigFix, SCCM client) writing run keys referencing scripts in temporary staging directories during patch cycles
User-installed productivity applications (e.g., AutoHotkey scripts, Outlook macros) registered via Run key pointing to scripts in user AppData or Documents folders

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=12 OR EventCode=13 OR EventCode=14)
| where TargetObject matches "*\\CurrentVersion\\Run*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnce*"
  OR TargetObject matches "*\\CurrentVersion\\RunOnceEx*"
  OR TargetObject matches "*\\CurrentVersion\\RunServices*"
  OR TargetObject matches "*\\CurrentVersion\\Policies\\Explorer\\Run*"
  OR TargetObject matches "*\\Windows NT\\CurrentVersion\\Windows\\load*"
  OR TargetObject matches "*\\Control\\Session Manager\\BootExecute*"
| where !(Image matches "*\\msiexec.exe"
  OR Image matches "*\\TrustedInstaller.exe"
  OR Image matches "*\\TiWorker.exe"
  OR Image matches "*\\ccmexec.exe"
  OR Image matches "*\\MpSigStub.exe")
| eval action = if(EventCode == "12", "KeyCreated", if(EventCode == "13", "ValueSet", "KeyRenamed"))
| eval SuspiciousPath = if(matches(Details, "(?i)(\\\\Temp\\\\|\\\\Downloads\\\\|\\\\Public\\\\|Recycle\\.Bin|\\\\ProgramData\\\\)"), 1, 0)
| eval ScriptExt = if(matches(Details, "(?i)\\.(vbs|js|bat|cmd|ps1|hta|wsh|wsf)"), 1, 0)
| eval RiskScore = SuspiciousPath + ScriptExt
| where RiskScore > 0
| fields _messageTime, _sourceHost, action, TargetObject, Details, Image, User, RuleName, SuspiciousPath, ScriptExt, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon operational log via Sumo Logic Windows agent Sumo Logic Cloud SIEM (CSE) Windows normalized events

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate consumer software such as cloud sync clients (Dropbox, OneDrive) or communication apps (Zoom, Teams) writing startup entries from user-scoped AppData paths that contain script wrappers
Security awareness or MDM enrollment tools that use PowerShell (.ps1) wrappers in run keys for first-boot configuration checks
Software development workflows where developers test autorun behavior of their own applications using local temp or project directories on developer workstations

Google Chronicle / SecOps

yaral

rule t1547_001_registry_run_key_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects persistence established via Registry Run Keys or Startup Folder (T1547.001). Alerts on writes to common autorun registry paths from non-trusted processes where the value data references suspicious file locations or script extensions."
    mitre_attack_technique = "T1547.001"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|CurrentVersion\\RunOnceEx|CurrentVersion\\RunServices|Policies\\Explorer\\Run|Windows NT\\CurrentVersion\\Windows|Control\\Session Manager\\BootExecute)/
    not $e.principal.process.file.full_path = /(?i)(\\msiexec\.exe$|\\TrustedInstaller\.exe$|\\TiWorker\.exe$|\\ccmexec\.exe$|\\MpSigStub\.exe$)/
    (
      $e.target.registry.registry_value_data = /(?i)(\\Temp\\|\\AppData\\Local\\Temp|\\Downloads\\|\\Public\\|Recycle\.Bin|\\ProgramData\\)/ or
      $e.target.registry.registry_value_data = /(?i)\.(vbs|js|bat|cmd|ps1|hta|wsh|wsf)("| |$)/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows endpoint telemetry forwarded to Chronicle via Bindplane or Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration Sysmon via Chronicle Windows sensor

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives

Enterprise patch management or software distribution agents writing temporary staging script paths into run keys as part of pre-boot or logon-triggered update sequences
Anti-malware products (Windows Defender, third-party AV) recording temporary script-based remediation tools in run keys during active incident response or cleanup passes
Legitimate automation frameworks such as Puppet or Chef writing PowerShell bootstrap scripts into run keys for post-provisioning configuration on new endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=RegValueSet
| TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|CurrentVersion\\RunOnceEx|CurrentVersion\\RunServices|CurrentVersion\\RunServicesOnce|Policies\\Explorer\\Run|Windows NT\\CurrentVersion\\Windows|Control\\Session Manager\\BootExecute)/
| ImageFileName != /(?i)(\\msiexec\.exe$|\\TrustedInstaller\.exe$|\\TiWorker\.exe$|\\ccmexec\.exe$|\\MpSigStub\.exe$)/
| SuspiciousPath := if(TargetRegistryValueData = /(?i)(\\Temp\\|\\AppData\\Local\\Temp|\\Downloads\\|\\Public\\|Recycle\.Bin|\\ProgramData\\)/, "true", "false")
| ScriptExt := if(TargetRegistryValueData = /(?i)\.(vbs|js|bat|cmd|ps1|hta|wsh|wsf)("| |$)/, "true", "false")
| SuspiciousPath = "true" OR ScriptExt = "true"
| RiskScore := if(SuspiciousPath = "true" AND ScriptExt = "true", "HIGH", if(SuspiciousPath = "true" OR ScriptExt = "true", "MEDIUM", "LOW"))
| table([timestamp, ComputerName, UserSid, TargetRegistryKey, TargetRegistryValueName, TargetRegistryValueData, ImageFileName, CommandLine, SuspiciousPath, ScriptExt, RiskScore])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon endpoint sensor (RegValueSet events) Falcon Data Replicator (FDR) streamed to LogScale

Required Tables

#event_simpleName=RegValueSet

False Positives

Software auto-updaters (Chrome, Firefox, Adobe) that temporarily write update launcher paths referencing versioned subdirectories within ProgramData or LocalAppData during update cycles
RMM (Remote Monitoring and Management) tools such as ConnectWise, NinjaRMM, or Datto that install persistent agent launchers via run keys, sometimes using .cmd or .bat wrappers
Developer workstations running local testing of persistence mechanisms as part of red team tooling validation, purple team exercises, or application self-update testing pipelines

Registry Run Keys / Startup Folder

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections