title: Registry Run Keys / Startup Folder (T1547.001) id: df00tech-t1547-001 status: experimental description: "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the 'run keys' in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. The following run keys are created by default on Windows systems: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce, HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, and HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce. Additional persistence can be achieved through the Startup folder at C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup and the system-wide C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp. The BootExecute value under Session Manager and the load value under HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are also abusable." references: - https://attack.mitre.org/techniques/T1547/001/ - https://df00tech.com/detections/T1547.001 author: df00tech date: 2026/04/20 tags: - attack.t1547.001 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate software installations that add Run key entries (antivirus, VPN clients, cloud sync tools like OneDrive, Dropbox)" - "Enterprise deployment tools (SCCM, Intune, PDQ Deploy) adding startup entries for managed software" - "User-installed utilities that register themselves for auto-start (Discord, Spotify, Steam)" - IT automation scripts that configure startup programs as part of endpoint provisioning level: high