title: Active Setup (T1547.014)
id: df00tech-t1547-014
status: experimental
description: "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. Adversaries may abuse Active Setup by creating a key under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer. Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots."
references:
  - https://attack.mitre.org/techniques/T1547/014/
  - https://df00tech.com/detections/T1547.014
author: df00tech
date: 2026/04/21
tags:
  - attack.t1547.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installations that use Active Setup to run first-use configuration commands (e.g., Microsoft Office, Visual Studio, .NET Framework adding per-user registry settings)"
  - "Windows component updates that modify existing Active Setup entries to update version numbers, triggering re-execution of StubPath commands"
  - Group Policy deployed applications that use Active Setup to ensure per-user installation on first logon to shared workstations/terminal servers
  - Antivirus or endpoint security products that register Active Setup entries for per-user agent configuration
level: high