T1547 Google Chronicle · YARA-L

Detect Boot or Logon Autostart Execution in Google Chronicle

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon, including automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Canonical reference
https://attack.mitre.org/techniques/T1547/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1547_boot_logon_autostart_registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects registry creation or modification events targeting Windows boot/logon autostart execution locations (T1547). Covers Run keys, RunOnce, Winlogon, LSA package registration, Print Monitor DLL paths, and Shell Folder redirections."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1547"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Run(Once(Ex)?|Services(Once)?)?\\`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Policies\\Explorer\\Run`) or
      re.regex($e.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Active Setup\\Installed Components`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Lsa\\(Authentication|Security) Packages`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Control\\Print\\(Monitors|Environments)`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Services\\W32Time\\TimeProviders`) or
      re.regex($e.target.registry.registry_key, `(?i)\\Explorer\\(User )?Shell Folders`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting REGISTRY_MODIFICATION events on Windows autostart execution registry key paths associated with T1547. Matches registry writes to Run keys, Winlogon entries, LSA packages, Print Monitors, W32Time providers, and Shell Folder redirections via UDM normalized registry telemetry.

Data Sources

Windows endpoint telemetry via Chronicle Forwarder (Sysmon or EDR)Google Chronicle UDM REGISTRY_MODIFICATION events

Required Tables

UDM events with metadata.event_type = REGISTRY_MODIFICATION

False Positives & Tuning

  • Scheduled system tasks and Windows components (e.g., Task Scheduler, Windows Defender) modify Winlogon-related keys during normal operation, particularly after cumulative updates
  • Application virtualisation platforms (App-V, VMware ThinApp) manipulate Shell Folder registry values as part of app launch sequencing, generating benign matches
  • Print server administrators deploying print monitor DLLs for enterprise printing solutions (Pharos, PaperCut) will write to Control\Print\Monitors during driver provisioning
Download portable Sigma rule (.yml)

Other platforms for T1547

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Registry Run Key for Persistence

    Expected signal: Sysmon Event ID 13: Registry value set on HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'df00tech-test'. DeviceRegistryEvents with ActionType 'RegistryValueSet'.

  2. Test 2Drop File in Startup Folder

    Expected signal: Sysmon Event ID 11: FileCreate in the Startup directory. DeviceFileEvents with ActionType 'FileCreated' in the Startup folder path.

  3. Test 3Modify Winlogon Shell Value

    Expected signal: Sysmon Event ID 13: Registry value set on Winlogon\Shell. DeviceRegistryEvents with RegistryKey containing 'Winlogon' and RegistryValueName 'Shell'.

Last updated: 2026-04-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1547 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (14)

Related Techniques

T1547.001Registry Run Keys / Startup FolderT1547.004Winlogon Helper DLLT1547.002Authentication PackageT1547.005Security Support ProviderT1547.014Active SetupT1037Boot or Logon Initialization ScriptsT1543Create or Modify System ProcessT1053.005Scheduled TaskT1574Hijack Execution FlowT1112Modify Registry

Same Tactic: Persistence

Popular Detections