T1547.014 Active Setup Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ActiveSetupPath = @"SOFTWARE\Microsoft\Active Setup\Installed Components";
let KnownGUIDs = dynamic([
  "{89820200-ECBD-11cf-8B85-00AA005B4383}",
  "{22d6f312-b0f6-11d0-94ab-0080c74c7e95}",
  "{2C7339CF-2B09-4501-B3F3-F3508C9228ED}",
  "{44BBA840-CC51-11CF-AAFA-00AA00B6015C}",
  "{6BF52A52-394A-11d3-B153-00C04F79FAA6}",
  "{89B4C1CD-B018-4511-B0A1-5476DBF70820}"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has ActiveSetupPath
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend GUID = extract(@"Installed Components\\({[^}]+})", 1, RegistryKey)
| extend IsKnownGUID = GUID in (KnownGUIDs)
| extend IsStubPath = RegistryKey endswith "StubPath" or RegistryValueName =~ "StubPath"
| extend StubPathValue = iff(IsStubPath, tostring(RegistryValueData), "")
| extend SuspiciousStubPath = StubPathValue has_any ("cmd.exe", "powershell", "mshta.exe", "rundll32", "regsvr32", "wscript", "cscript", "certutil", ".bat", ".vbs", ".js", ".hta", "http://", "https://")
| where not(IsKnownGUID) or IsStubPath
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, GUID, IsKnownGUID, IsStubPath, SuspiciousStubPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Creation Windows Registry: Registry Key Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Software installations that use Active Setup to run first-use configuration commands (e.g., Microsoft Office, Visual Studio, .NET Framework adding per-user registry settings)
Windows component updates that modify existing Active Setup entries to update version numbers, triggering re-execution of StubPath commands
Group Policy deployed applications that use Active Setup to ensure per-user installation on first logon to shared workstations/terminal servers
Antivirus or endpoint security products that register Active Setup entries for per-user agent configuration

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*"
| eval is_stubpath=if(match(TargetObject, "StubPath$"), 1, 0)
| eval guid=replace(TargetObject, ".*Installed Components\\\\(\{[^}]+\}).*", "\1")
| eval suspicious_stub=if(match(lower(Details), "(cmd\.exe|powershell|mshta|rundll32|regsvr32|wscript|cscript|certutil|\.bat|\.vbs|\.js|\.hta|http://|https://)"), 1, 0)
| eval known_guid=if(match(guid, "(89820200-ECBD|22d6f312-b0f6|2C7339CF-2B09|44BBA840-CC51|6BF52A52-394A|89B4C1CD-B018)"), 1, 0)
| where is_stubpath=1 OR known_guid=0
| table _time, host, User, Image, TargetObject, Details, guid, is_stubpath, suspicious_stub, known_guid
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installations using Active Setup for per-user first-run configuration (Office, Visual Studio, .NET)
Windows component updates modifying Active Setup version numbers to trigger per-user re-configuration
GPO-deployed applications using Active Setup for per-user installation on shared workstations
Endpoint security products registering Active Setup entries for per-user agent configuration

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change") and
  registry.path like~ "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*" and
  (
    registry.value.name == "StubPath" or
    registry.path like~ "*\\StubPath"
  ) and
  (
    registry.data.strings like~ ("*cmd.exe*", "*powershell*", "*mshta.exe*", "*rundll32*", "*regsvr32*", "*wscript*", "*cscript*", "*certutil*", "*.bat*", "*.vbs*", "*.js*", "*.hta*", "*http://*", "*https://*")
    or not (
      registry.path like~ "*{89820200-ECBD-11cf-8B85-00AA005B4383}*" or
      registry.path like~ "*{22d6f312-b0f6-11d0-94ab-0080c74c7e95}*" or
      registry.path like~ "*{2C7339CF-2B09-4501-B3F3-F3508C9228ED}*" or
      registry.path like~ "*{44BBA840-CC51-11CF-AAFA-00AA00B6015C}*" or
      registry.path like~ "*{6BF52A52-394A-11d3-B153-00C04F79FAA6}*" or
      registry.path like~ "*{89B4C1CD-B018-4511-B0A1-5476DBF70820}*"
    )
  )

high severity high confidence

Data Sources

Windows Registry Events Endpoint Detection and Response (EDR) Elastic Endpoint Security

Required Tables

registry

False Positives

Legitimate software installers (e.g., Microsoft Office, .NET Framework, Windows Media Player) creating or updating Active Setup keys during installation or patching cycles
Enterprise software deployment tools such as SCCM, Intune, or Ansible that configure Active Setup keys as part of application provisioning
System administrators manually configuring Active Setup entries for authorized corporate software using scripts containing cmd.exe or PowerShell

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  devicehostname AS "Host",
  username AS "User",
  "TargetObject" AS "Registry Key",
  "Details" AS "StubPath Value",
  "Image" AS "Writing Process",
  CASE
    WHEN REGEXP_LIKE(LOWER("Details"), '(cmd\.exe|powershell|mshta|rundll32|regsvr32|wscript|cscript|certutil|\.bat|\.vbs|\.js|\.hta|http://|https://)') THEN 'true'
    ELSE 'false'
  END AS "SuspiciousStubPath",
  CASE
    WHEN NOT REGEXP_LIKE("TargetObject", '(89820200-ECBD|22d6f312-b0f6|2C7339CF-2B09|44BBA840-CC51|6BF52A52-394A|89B4C1CD-B018)') THEN 'true'
    ELSE 'false'
  END AS "UnknownGUID"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Snare for Windows')
  AND UPPER("TargetObject") LIKE '%SOFTWARE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS%'
  AND (
    UPPER("TargetObject") LIKE '%STUBPATH%'
    OR NOT REGEXP_LIKE("TargetObject", '(89820200-ECBD|22d6f312-b0f6|2C7339CF-2B09|44BBA840-CC51|6BF52A52-394A|89B4C1CD-B018)')
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log Sysmon via WinCollect

Required Tables

events

False Positives

Legitimate Windows component updates during Patch Tuesday cycles that create or modify Active Setup entries for .NET, Windows Media Player, or Internet Explorer components
Third-party enterprise applications (e.g., Adobe Acrobat, Java Runtime) that register their own Active Setup GUID for per-user initialization using command-line launchers
Software deployment platforms running PowerShell or cmd.exe-based StubPath entries as part of authorized application onboarding workflows

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode = 13
| where TargetObject matches "*SOFTWARE\\Microsoft\\Active Setup\\Installed Components*"
| parse regex field=TargetObject "Installed Components\\\\(?<guid>\{[^}]+\})" nodrop
| parse regex field=Details "(?<stubpath_value>.+)" nodrop
| where TargetObject matches "*StubPath*" OR (guid != "" AND guid != "{89820200-ECBD-11cf-8B85-00AA005B4383}" AND guid != "{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" AND guid != "{2C7339CF-2B09-4501-B3F3-F3508C9228ED}" AND guid != "{44BBA840-CC51-11CF-AAFA-00AA00B6015C}" AND guid != "{6BF52A52-394A-11d3-B153-00C04F79FAA6}" AND guid != "{89B4C1CD-B018-4511-B0A1-5476DBF70820}")
| eval suspicious_stub = if (matches(toLowerCase(Details), "*(cmd.exe|powershell|mshta|rundll32|regsvr32|wscript|cscript|certutil|\.bat|\.vbs|\.js|\.hta|http://|https://)*"), 1, 0)
| eval known_guid = if (matches(guid, "*89820200-ECBD*") OR matches(guid, "*22d6f312-b0f6*") OR matches(guid, "*2C7339CF-2B09*") OR matches(guid, "*44BBA840-CC51*") OR matches(guid, "*6BF52A52-394A*") OR matches(guid, "*89B4C1CD-B018*"), 1, 0)
| where suspicious_stub = 1 OR known_guid = 0
| fields _messageTime, Computer, User, Image, TargetObject, Details, guid, suspicious_stub, known_guid
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon Operational Log Windows Event Log

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*

False Positives

Enterprise software installations that create new GUID-based Active Setup entries during initial deployment, especially for productivity suites or developer toolkits that include scripting components in StubPath
Automated configuration management tools (Puppet, Chef, Ansible) modifying Active Setup registry keys as part of system baseline enforcement
Custom in-house applications that use Active Setup with PowerShell-based StubPath for per-user configuration during first login

Google Chronicle / SecOps

yaral

rule active_setup_persistence_t1547_014 {
  meta:
    author = "Detection Engineering"
    description = "Detects Active Setup persistence via malicious StubPath registry modification under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.014"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1547/014/"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($e.target.registry.registry_key, `(?i)SOFTWARE\\Microsoft\\Active Setup\\Installed Components`)
    (
      $e.target.registry.registry_value_name = /(?i)^StubPath$/ or
      re.regex($e.target.registry.registry_key, `(?i)\\StubPath$`)
    )
    (
      re.regex($e.target.registry.registry_value_data, `(?i)(cmd\.exe|powershell|mshta\.exe|rundll32|regsvr32|wscript|cscript|certutil|\.bat|\.vbs|\.js|\.hta|https?://)`) or
      not re.regex($e.target.registry.registry_key, `(?i)(89820200-ECBD|22d6f312-b0f6|2C7339CF-2B09|44BBA840-CC51|6BF52A52-394A|89B4C1CD-B018)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Registry Events via Chronicle Forwarder Endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne)

Required Tables

registry (UDM REGISTRY_MODIFICATION events)

False Positives

Microsoft Windows Update processes modifying existing Active Setup keys for Internet Explorer, Windows Media Player, or .NET Framework components during OS patching
Legitimate software vendors (e.g., Adobe, Oracle) using Active Setup to trigger per-user first-run configuration tasks with scripted StubPath values referencing cmd.exe or msiexec
Corporate imaging or provisioning scripts that pre-stage custom Active Setup entries using PowerShell-based StubPath values for user environment initialization

CrowdStrike LogScale (CQL)

cql

#event_simpleName in (AsepValueUpdate, RegGenericValueUpdate)
| RegObjectName = /SOFTWARE\\Microsoft\\Active Setup\\Installed Components/i
| (RegValueName = /^StubPath$/i OR RegObjectName = /\\StubPath$/i)
| isSuspiciousStub := RegStringValue = /(?i)(cmd\.exe|powershell|mshta\.exe|rundll32|regsvr32|wscript|cscript|certutil|\.bat|\.vbs|\.js|\.hta|https?:\/\/)/
| isKnownGUID := RegObjectName = /(?i)(89820200-ECBD|22d6f312-b0f6|2C7339CF-2B09|44BBA840-CC51|6BF52A52-394A|89B4C1CD-B018)/
| guidExtract := replace(RegObjectName, /.*Installed Components\\(\{[^}]+\}).*/i, "$1")
| where isSuspiciousStub = true OR isKnownGUID = false
| table([@timestamp, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, FileName, CommandLine, guidExtract, isSuspiciousStub, isKnownGUID])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale (Humio) Windows Registry Sensor Events

Required Tables

AsepValueUpdate RegGenericValueUpdate

False Positives

CrowdStrike Falcon sensor may generate AsepValueUpdate events during legitimate Windows Update or software patch cycles that touch Active Setup keys for OS components
Enterprise MDM or GPO-driven configuration changes that set or update Active Setup StubPath entries across endpoints as part of application lifecycle management
Vendor-supplied installation scripts for enterprise software (e.g., Microsoft 365, Citrix Workspace) that create new GUID entries with PowerShell or cmd.exe StubPath initialization commands

Active Setup

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections