title: Boot or Logon Autostart Execution (T1547)
id: df00tech-t1547
status: experimental
description: "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon, including automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges."
references:
  - https://attack.mitre.org/techniques/T1547/
  - https://df00tech.com/detections/T1547
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installations that register legitimate autostart entries in Run keys
  - Windows Updates or Group Policy changes modifying Winlogon or Shell Folders registry keys
  - Print driver installations that add legitimate port monitors or print processors
  - "Enterprise IT tools (SCCM, Intune, GPO) deploying startup configurations"
level: high