T1547: Boot or Logon Autostart Execution

T1547 spans two ATT&CK tactics simultaneously: Persistence and Privilege Escalation. By configuring autostart execution, an attacker ensures their malware survives reboots (persistence), and if the autostart mechanism executes with elevated privileges (such as an HKLM registry key that runs under SYSTEM context, or a kernel module that loads at boot), the attacker gains privilege escalation as a direct consequence of persistence — two tactical objectives from a single configuration change.

The technique is cross-platform by design. Windows offers the richest attack surface through its registry, startup folders, and authentication subsystems. Linux provides kernel module loading, XDG autostart entries, init scripts, and cron-based autostart. macOS uses property list (plist) files, kernel extensions, login items, and re-opened applications. Network devices have their own boot configurations that can be modified for persistence. Every operating system has mechanisms for automatic program execution at startup — and every one of them can be abused.

The challenge for defenders is that autostart mechanisms are designed to run programs automatically. Thousands of legitimate applications use registry Run keys, startup folders, and login items. The line between a legitimate autostart entry and a malicious one is not the mechanism itself but the program being started. This makes T1547 a technique that cannot be prevented through blocking — only through monitoring, baselining, and detecting deviations from the expected autostart configuration.

How Autostart Persistence Works

The fundamental pattern is consistent across all sub-techniques and platforms:

Step 1 — Identify an Autostart Location. The attacker identifies a location where the operating system or a system service will automatically execute programs. This could be a registry key, a directory, a configuration file, a kernel module loading path, or an authentication subsystem hook.

Step 2 — Write the Persistence Entry. The attacker creates or modifies an entry at that location, pointing it to their malicious payload. On Windows, this is typically reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "UpdateService" /d "C:\Users\Public\malware.exe". On Linux, it might be a .desktop file in ~/.config/autostart/. On macOS, a plist modification in ~/Library/LaunchAgents/.

Step 3 — Masquerade the Entry. Sophisticated attackers name their entries and executables to mimic legitimate software — "WindowsUpdateHelper", "AdobeUpdater", "ChromeSync" — so the persistence mechanism survives casual inspection by administrators reviewing autostart locations.

Step 4 — Automatic Execution. On the next boot or user logon, the operating system processes the autostart location and launches the attacker's program. The malware re-establishes C2 communication, re-injects into target processes, or resumes whatever operation it was performing before the system restarted. From the attacker's perspective, persistence is transparent — the compromised system "calls home" every time it starts, indefinitely.

Sub-Techniques

MITRE ATT&CK version 18 defines 14 sub-techniques under T1547, spanning Windows, Linux, macOS, and network devices. The following covers the sub-techniques observed with the highest frequency in real-world intrusions.

T1547.001 — Registry Run Keys / Startup Folder (Windows)

This is the single most common persistence sub-technique in the entire ATT&CK framework, used by 54 documented threat groups. Adversaries add entries to the Windows Registry Run keys or place files in startup folders to ensure execution on every user logon. The four default Run keys are HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\...\RunOnce, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and HKLM\...\RunOnce. HKCU keys execute under the logged-in user's context; HKLM keys execute for all users. RunOnce keys auto-delete after execution, providing single-use persistence useful for staged payload delivery.

Beyond the standard Run keys, attackers exploit less-monitored locations: RunServices, RunServicesOnce, Policies\Explorer\Run, the Load value in HKCU\...\Windows NT\CurrentVersion\Windows, the BootExecute value in Session Manager, and Shell Folders / User Shell Folders keys that redefine the startup folder path itself. The RunOnceEx key supports loading DLLs via a "Depend" value, which is stealthier than pointing to an executable. APT19, APT37, APT39, RTM, TA2541, Magic Hound, and dozens of other groups use this sub-technique routinely.

Startup folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for per-user, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp for all users) provide an alternative file-based persistence path. FunnyDream malware uses both the startup folder and registry Run keys simultaneously for redundant persistence.

T1547.004 — Winlogon Helper DLL (Windows)

The Winlogon process handles user logon/logoff events and loads helper DLLs specified in the registry. Adversaries modify the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key — specifically the Userinit, Shell, and Notify values — to point to malicious DLLs that load every time a user logs in. Because Winlogon runs as SYSTEM, this provides both persistence and privilege escalation. Turla, APT28, and Gazer malware have used Winlogon helper DLL persistence.

T1547.002 — Authentication Package (Windows)

Windows authentication packages are DLLs loaded by the Local Security Authority (LSA) at system startup. By registering a malicious DLL as an authentication package in HKLM\SYSTEM\CurrentControlSet\Control\Lsa, an attacker ensures their code loads at boot with SYSTEM privileges. The Flame (sKyWIper) malware used this technique. A related sub-technique, T1547.005 Security Support Provider, abuses the SSP/AP interface to load malicious DLLs into lsass.exe.

T1547.006 — Kernel Modules and Extensions (Linux/macOS)

On Linux, Loadable Kernel Modules (LKMs) can be loaded into the kernel to extend functionality. Malicious LKMs provide kernel-level persistence and rootkit capabilities — the ability to hide processes, files, and network connections from userspace tools. The Russian GRU's Drovorub malware used a Linux kernel module for persistence and stealth. Skidmap cryptocurrency-mining malware installs LKMs to hide its resource consumption. Operation CuckooBees (Winnti/APT41) used kernel module persistence in targeted espionage. Adversaries configure automatic module loading via /etc/modules, /etc/modules-load.d/, or by modifying the initramfs. On macOS, kernel extensions (kexts) served a similar purpose, though Apple has been deprecating kexts in favor of System Extensions since macOS Catalina.

T1547.013 — XDG Autostart Entries (Linux)

On XDG-compliant Linux systems (the standard for desktop environments including GNOME and KDE), .desktop files in /etc/xdg/autostart/ (system-wide) or ~/.config/autostart/ (per-user) execute automatically when the desktop session loads. Unlike cron jobs or systemd services, XDG autostart entries run within the user's GUI session context, providing access to the display server for keylogging, screen capture, and GUI interaction. The Fysbis backdoor (attributed to APT28/Fancy Bear) uses XDG autostart as its primary persistence method when running without root privileges. RotaJakiro, Netwire RAT, CrossRAT, and Pupy all use this mechanism on Linux. Lazarus Group's Contagious Interview campaign used InvisibleFerret malware with XDG autostart persistence.

T1547.009 — Shortcut Modification (Windows)

Rather than creating new autostart entries, adversaries modify existing shortcut (.lnk) files in the startup folder or on the desktop to execute malicious code before or alongside the legitimate application. This is harder to detect because no new autostart entry is created — an existing one is modified. The Astaroth trojan and APT29 have used shortcut modification for persistence.

T1547.014 — Active Setup (Windows)

The Active Setup registry key (HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components) runs commands once per user on their first logon after the entry is created. It is designed for per-user component setup but is abused for persistence. Unlike Run keys, Active Setup entries do not appear in common autostart enumeration tools (such as msconfig) and execute before the desktop is fully loaded, making them stealthier.

Other Sub-Techniques

The remaining sub-techniques include T1547.003 Time Providers (abusing the Windows Time Service DLL loading), T1547.005 Security Support Provider (loading DLLs into LSASS), T1547.007 Re-opened Applications (macOS session restoration), T1547.008 LSASS Driver (loading malicious drivers into LSASS), T1547.010 Port Monitors (abusing the Windows Print Spooler), T1547.012 Print Processors (loading DLLs via the print subsystem), T1547.015 Login Items (macOS login item persistence), and the plist modification technique that allows adversaries to inject malicious code into macOS application launch configurations.

Real-World Case Studies

APT42 (Charming Kitten) — Multi-Layered Registry Persistence

APT42, the Iranian threat group focused on surveillance of dissidents, journalists, and policy researchers, has been documented using registry Run key persistence as a standard component of its operational toolkit. Mandiant's APT42 analysis documented the group creating Run key entries that point to scripts which download and execute second-stage payloads — combining T1547.001 persistence with T1105 ingress tool transfer in a single registry entry. The entry survives reboots, and the download mechanism ensures the payload is always current, even if the original binary is detected and removed.

Drovorub — GRU Kernel Module Persistence on Linux

In August 2020, the NSA and FBI jointly disclosed Drovorub, a previously undisclosed malware deployed by the Russian GRU's 85th GTsSS (Unit 26165, also known as Fancy Bear/APT28). Drovorub includes a Linux kernel module that provides rootkit capabilities: hiding files, directories, processes, and network connections from userspace diagnostic tools. The kernel module loads at boot via standard Linux module loading mechanisms, providing both persistence and stealth. The joint advisory emphasized that Linux systems running kernel versions 3.7 or later with UEFI Secure Boot enabled and module signing enforcement were protected, because unsigned kernel modules would be rejected at load time. This case demonstrated that kernel-level autostart persistence is not limited to theoretical attacks — it is operational tradecraft for state-sponsored actors.

Operation CuckooBees (Winnti/APT41) — Kernel Persistence in Espionage

Cybereason documented Operation CuckooBees, a multi-year espionage campaign by the Winnti group (linked to APT41), that used kernel module persistence on Linux servers to maintain long-term access to technology and manufacturing targets. The campaign combined LKM-based rootkit persistence with process injection and C2 over application layer protocols — a full operational chain where T1547.006 provided the survival mechanism that allowed all other techniques to continue operating across system restarts.

Lazarus Contagious Interview — XDG Autostart on Linux Developers

The Lazarus Group's Contagious Interview campaign, which lures developers through fake job interviews, deploys InvisibleFerret malware with XDG autostart persistence on Linux systems. The malware places a .desktop file in ~/.config/autostart/ within GNOME-based environments, ensuring the backdoor reactivates whenever the developer logs into their desktop session. Because the persistence runs in the GUI session context, the malware has access to the display server for screen capture and clipboard monitoring — capabilities critical for stealing cryptocurrency wallet credentials and development environment secrets.

Gamaredon — Shortcut and Registry Persistence at Scale

Gamaredon, Russia's most prolific threat group in terms of volume, uses T1547.001 across virtually every operation against Ukrainian targets. The group creates Run key entries and modifies shortcuts in startup folders to maintain persistence for Remcos backdoor and custom tools. The sheer volume of Gamaredon operations — thousands of targets across Ukrainian government, military, and civilian organizations — means T1547.001 is the persistence mechanism deployed at the largest scale of any current campaign.

Detection Strategies

Detecting autostart persistence requires monitoring the specific registry keys, directories, and configuration files that the operating system uses for automatic execution. The good news is that these locations are finite and well-documented. The challenge is baselining what is normal and alerting on deviations.

Key Event IDs and Telemetry Sources

Source	Event	Detection Value
Sysmon 13	Registry Value Set	Captures all registry value modifications. Filter for the Run, RunOnce, RunServices, Winlogon, and Lsa keys. This is the primary detection source for T1547.001, .002, .003, .004, .005, .008, .010, .012, and .014.
Sysmon 12	Registry Object Added/Deleted	Detects creation and deletion of registry keys (not just values). Useful for detecting the creation of new subkeys under autostart locations.
Sysmon 11	File Creation	Identifies files written to startup folders, XDG autostart directories, and macOS LaunchAgent paths. Critical for T1547.001 (file-based) and T1547.013.
Win 4657	Registry Value Modified	Windows Security log equivalent of Sysmon 13. Requires Object Access auditing enabled on target registry keys via SACL configuration.
Win 4663	File System Object Accessed	With Audit File System enabled and SACL on startup directories, captures file write operations including full path, process, and user context.
Linux auditd	File writes + module loads	Audit rules for /etc/modules-load.d/, ~/.config/autostart/, /etc/xdg/autostart/, and insmod/modprobe execution capture kernel module and XDG autostart persistence.

SIEM Detection Queries

Registry Run Key Modification (Splunk) — detects new or modified values in the most commonly abused autostart registry locations:

| Registry Run key persistence detection
index=sysmon EventCode=13
    (TargetObject="*\\CurrentVersion\\Run\\*"
     OR TargetObject="*\\CurrentVersion\\RunOnce\\*"
     OR TargetObject="*\\CurrentVersion\\RunServices\\*"
     OR TargetObject="*\\Winlogon\\Userinit*"
     OR TargetObject="*\\Winlogon\\Shell*"
     OR TargetObject="*\\CurrentVersion\\Explorer\\User Shell Folders*"
     OR TargetObject="*\\Active Setup\\Installed Components*"
     OR TargetObject="*\\Control\\Lsa\\Authentication Packages*"
     OR TargetObject="*\\Control\\Lsa\\Security Packages*")
| where NOT match(Image,
    "(?i)(msiexec|setup|install|update|TrustedInstaller)")
| stats count values(TargetObject) as keys values(Details) as values
        by src_ip Image user
| sort -count

Startup Folder File Creation (Splunk) — detects files written to Windows startup directories or Linux XDG autostart paths:

| Startup folder and XDG autostart file creation
index=sysmon EventCode=11
    (TargetFilename="*\\Start Menu\\Programs\\Startup\\*"
     OR TargetFilename="*\\Start Menu\\Programs\\StartUp\\*"
     OR TargetFilename="*/.config/autostart/*"
     OR TargetFilename="*/etc/xdg/autostart/*")
| stats count earliest(_time) as first_seen
        values(TargetFilename) as files by src_ip Image user
| sort -count

Linux Kernel Module Loading (Splunk) — detects kernel module insertion which may indicate rootkit or persistent backdoor installation:

| Linux kernel module loading detection
index=linux sourcetype=auditd
    (syscall="init_module" OR syscall="finit_module"
     OR exe="*/insmod" OR exe="*/modprobe")
| stats count values(key) as modules values(exe) as tools
        by src_ip auid
| where count > 0
| sort -count

Known Threat Actors

Threat Actor	Attribution	T1547 Usage
APT28 (Fancy Bear)	Russia (GRU)	Drovorub kernel module persistence on Linux. XDG autostart via Fysbis backdoor. Registry Run keys across Windows operations.
APT41 (Winnti)	China	Kernel module rootkit persistence in Operation CuckooBees. Registry Run keys for ShadowPad and Cobalt Strike payloads.
APT42 (Charming Kitten)	Iran	Registry Run keys with download-and-execute entries for surveillance malware targeting dissidents and journalists.
APT37 (Reaper)	North Korea	Registry Run keys for multiple malware families including custom RATs targeting South Korean organizations.
Lazarus Group	North Korea	XDG autostart via InvisibleFerret in Contagious Interview campaign. Registry persistence across Windows operations.
Gamaredon	Russia	Mass-scale Run key and startup folder persistence for Remcos backdoor across Ukrainian government targets.
Turla	Russia (FSB)	Winlogon Helper DLL persistence. Gazer backdoor using registry Run keys and scheduled tasks for redundant persistence.
APT39 (Chafer)	Iran	Startup folder placement for persistence in operations targeting telecommunications and travel sectors.
Magic Hound (APT35)	Iran	Registry Run keys for persistent access in campaigns targeting U.S. and Middle Eastern organizations.
RTM	Russia	Registry Run keys for both the RTM banking Trojan and modified TeamViewer for remote access persistence.

Beyond state-sponsored actors, T1547 (particularly .001) is standard in virtually every commodity malware family (Agent Tesla, Remcos, NjRAT, AsyncRAT, RedLine), ransomware toolkit (as part of pre-encryption persistence), and post-exploitation framework (Cobalt Strike, Sliver, Metasploit). If malware needs to survive a reboot, one or more T1547 sub-techniques are the first choice.

Defensive Recommendations

1. Deploy Sysmon with registry and file monitoring: Configure Sysmon to capture Event IDs 11 (file creation), 12 (registry key creation/deletion), and 13 (registry value modification) with rules targeting all known autostart registry paths and startup directories. This provides the foundational telemetry for all Windows T1547 detection. Without Sysmon or equivalent EDR telemetry, autostart persistence is invisible.
2. Implement scheduled Autoruns baselining: Use Sysinternals autorunsc.exe -a * -c -h -s -nobanner to export a complete autostart inventory weekly. Compare each export against the previous baseline to identify new, modified, or deleted entries. Automate this comparison and alert on unexpected changes. This single control covers all 14 sub-techniques on Windows simultaneously.
3. Enable LSA protection: Configure HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 to protect the LSASS process with Protected Process Light (PPL). This prevents unauthorized DLLs from being loaded into LSASS, mitigating T1547.002 (Authentication Package), T1547.005 (Security Support Provider), and T1547.008 (LSASS Driver) simultaneously.
4. Enforce kernel module signing on Linux: Enable UEFI Secure Boot and configure module signing enforcement (CONFIG_MODULE_SIG_FORCE=y) to prevent unsigned kernel modules from loading. This is the primary defense against T1547.006 (Kernel Modules) and was specifically recommended in the NSA/FBI Drovorub advisory. On systems where Secure Boot cannot be enabled, audit module loading with auditd rules for the init_module and finit_module syscalls.
5. Restrict write access to autostart locations: Use file system ACLs and registry ACLs to restrict which users and processes can modify autostart locations. Standard users should not have write access to HKLM Run keys, the all-users startup folder, /etc/xdg/autostart/, or /etc/modules-load.d/. This does not prevent persistence by administrators or SYSTEM-level attackers, but it blocks standard-user-context malware.
6. Monitor macOS login items and LaunchAgents: Audit file creation in ~/Library/LaunchAgents/, /Library/LaunchAgents/, /Library/LaunchDaemons/, and ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm. macOS endpoints require dedicated monitoring because Sysmon for macOS has limited registry equivalents. Use endpoint security frameworks (Jamf, Kandji, or osquery) for persistent monitoring.
7. Audit XDG autostart directories on Linux endpoints: Monitor ~/.config/autostart/ and /etc/xdg/autostart/ for new or modified .desktop files. Linux desktop endpoints (developer workstations) are increasingly targeted by campaigns like Contagious Interview. Use auditd or inotify-based monitoring for these directories.
8. Validate defenses through simulation: Atomic Red Team provides 20+ tests for T1547.001 alone, covering reg add, PowerShell, VBScript, JSE, and RunOnceEx persistence methods. Run these tests and verify that your Sysmon rules, SIEM queries, and EDR detections fire correctly. Expand testing to T1547.006 (kernel module) and T1547.013 (XDG autostart) for Linux environments.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1547
Technique Name	Boot or Logon Autostart Execution
Tactics	Persistence, Privilege Escalation
Platforms	Windows, Linux, macOS, Network Devices
Sub-Techniques	T1547.001 Registry Run Keys / Startup Folder, .002 Authentication Package, .003 Time Providers, .004 Winlogon Helper DLL, .005 Security Support Provider, .006 Kernel Modules and Extensions, .007 Re-opened Applications, .008 LSASS Driver, .009 Shortcut Modification, .010 Port Monitors, .012 Print Processors, .013 XDG Autostart Entries, .014 Active Setup, .015 Login Items
Data Sources	Command (Execution), Driver (Load), File (Creation, Modification), Kernel (Load), Module (Load), Process (Creation, OS API Execution), Windows Registry (Key Creation, Modification)
MITRE Reference	attack.mitre.org/techniques/T1547

Sources and References

• MITRE ATT&CK — T1547 Boot or Logon Autostart Execution: attack.mitre.org
• Picus Security — Red Report 2026 and T1547 Technique Explained: picussecurity.com
• Nextron Systems — Detecting T1547.001 Registry Run Keys / Startup Folder (July 2025): nextron-systems.com
• NSA/FBI — Russian GRU Deploys Drovorub Malware (August 2020): media.defense.gov
• Cybereason — Operation CuckooBees (May 2022): cybereason.com
• Atomic Red Team — T1547.001 Tests: atomicredteam.io