T1547.001 Splunk · SPL

Detect Registry Run Keys / Startup Folder in Splunk

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the 'run keys' in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. The following run keys are created by default on Windows systems: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Additional persistence can be achieved through the Startup folder at C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and the system-wide C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The BootExecute value under Session Manager and the load value under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows are also abusable.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.001 Registry Run Keys / Startup Folder
Canonical reference
https://attack.mitre.org/techniques/T1547/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
  (TargetObject="*\\CurrentVersion\\Run*"
   OR TargetObject="*\\CurrentVersion\\Policies\\Explorer\\Run*"
   OR TargetObject="*\\CurrentVersion\\RunServices*"
   OR TargetObject="*\\Windows NT\\CurrentVersion\\Windows\\load*"
   OR TargetObject="*\\Control\\Session Manager\\BootExecute*")
  NOT (Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\TiWorker.exe" OR Image="*\\ccmexec.exe")
| eval action=case(EventCode=12, "KeyCreated", EventCode=13, "ValueSet", EventCode=14, "KeyRenamed")
| eval SuspiciousPath=if(match(Details, "(?i)(\\\\Temp\\\\|\\\\Downloads\\\\|\\\\Public\\\\|Recycle\\.Bin)"), 1, 0)
| eval ScriptType=if(match(Details, "(?i)\.(vbs|js|bat|cmd|ps1|hta|wsh|wsf)"), 1, 0)
| eval RiskScore=SuspiciousPath + ScriptType
| table _time, host, action, TargetObject, Details, Image, User, SuspiciousPath, ScriptType, RiskScore
| sort - _time
high severity high confidence

Detects modifications to Registry Run/RunOnce keys and startup-related registry paths using Sysmon Event IDs 12 (key create), 13 (value set), and 14 (key rename). Assigns a risk score based on suspicious file paths and script file extensions in the registry value data. Filters out trusted Windows servicing processes.

Data Sources

Windows Registry: Windows Registry Key ModificationWindows Registry: Windows Registry Key CreationSysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software installations that add Run key entries (antivirus, VPN clients, cloud sync tools)
  • Enterprise deployment tools (SCCM, Intune, PDQ Deploy) adding startup entries
  • User-installed utilities that register themselves for auto-start
  • IT automation scripts configuring startup programs during endpoint provisioning
Download portable Sigma rule (.yml)

Other platforms for T1547.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Registry Run Key Persistence (HKCU)

    Expected signal: Sysmon Event ID 13: RegistryValueSet on HKCU\Software\Microsoft\Windows\CurrentVersion\Run with ValueName 'df00tech-test' and Details 'C:\Windows\System32\calc.exe'. MDE DeviceRegistryEvents with ActionType 'RegistryValueSet'.

  2. Test 2Startup Folder Persistence via Batch Script

    Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test.bat in the Startup folder path. Security Event ID 4688 showing cmd.exe creating the file.

  3. Test 3RunOnceEx Dependency DLL Loading

    Expected signal: Sysmon Event ID 12: Registry key created for RunOnceEx\0001\Depend. Sysmon Event ID 13: Value set with DLL path. MDE DeviceRegistryEvents captures both the key creation and value set.

  4. Test 4HKLM Run Key via PowerShell

    Expected signal: Sysmon Event ID 13: RegistryValueSet with Image=powershell.exe. Sysmon Event ID 1: Process creation for powershell.exe with the Set-ItemProperty command. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1547.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.009Shortcut ModificationT1547.014Active SetupT1112Modify RegistryT1036MasqueradingT1059Command and Scripting InterpreterT1105Ingress Tool TransferT1053.005Scheduled Task

Same Tactic: Persistence

Popular Detections