Boot or Logon Autostart Execution (T1547) is a MITRE ATT&CK technique in the Persistence tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Common autostart locations on Windows include the Run and RunOnce registry keys, Startup folder locations, services configured to start automatically, and the Winlogon registry key. On Linux and macOS, init scripts, systemd units, and launch agents provide similar functionality. Understanding these autostart mechanisms is essential for security analysts who need to identify malicious persistence during incident response investigations.
“Boot or Logon Autostart Execution is documented as technique T1547 in the MITRE ATT&CK knowledge base under the Persistence tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Boot or Logon Autostart Execution activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows Registry modifications to HKLM and HKCU Run and RunOnce keys, alerting on new entries pointing to executables in user-writable locations or using obfuscated command line arguments.
Track file creation events in Windows Startup folder locations for all users, including AllUsers and per-user startup folders, which are commonly used for persistence by malware that does not require administrative privileges.
Monitor service creation and modification events, focusing on services created outside of standard software installation processes or services pointing to executables in non-standard locations.
Implement file integrity monitoring on autostart script locations on Linux systems including /etc/init.d/, systemd unit directories, and user-specific .bashrc and .profile files that execute on login.
Correlate autostart location modifications with the process that made the change and the user context, as legitimate applications typically modify these locations only during installation with elevated privileges.
These realistic alert examples show what Boot or Logon Autostart Execution looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Registry modification detected adding a new value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The entry points to a file in %AppData%\Roaming\Microsoft\Windows named svchost32.exe, which is not a legitimate Windows system file. The file was created 3 minutes prior by a PowerShell process with encoded command line arguments.
File creation detected in C:\Users\Public\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The file is a JavaScript file disguised with a PDF icon. Upon execution it connects to a remote server and downloads additional payloads. The file was created by an Office process following macro execution in a received document.
New Windows service registered with display name "Windows Security Health Monitor" using sc.exe. The service executable resides in C:\ProgramData\Microsoft\Temp and is not digitally signed. The service is configured for automatic startup and runs as SYSTEM. Hash of the executable matches a known remote access trojan in threat intelligence databases.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Boot or Logon Autostart Execution. Build detection skills with zero consequences — free forever.
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen XDR detects a Microsoft Office process spawning scripting interpreters, Word launching PowerShell, Excel spawning c…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read moreWe use cookies to improve your experience and measure usage. Learn more