T1547.001 Registry Run Keys/Startup Folder is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to the use of Windows Registry Run Keys and the Startup Folder to automatically launch programs or scripts when the system boots or a user logs in.
The Registry Run Keys are specific locations within the Windows Registry that store references to programs or commands that execute automatically upon system start. Similarly, the Startup Folder in the file system holds shortcuts to programs that run when a user logs in. These mechanisms are typically used for legitimate purposes, but adversaries can manipulate them to maintain persistence, ensuring their malicious programs are automatically executed whenever the system reboots or a user logs in.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversaries use T1547.001 Registry Run Keys/Startup Folder to establish persistence on a compromised system. By modifying the Registry Run Keys or placing a malicious program in the Startup Folder, adversaries ensure that their malicious code is executed every time the system starts or a user logs in. This allows attackers to maintain a presence on the system, even after reboots or user logoffs.
Through these methods, adversaries can ensure that their malicious software automatically runs without the need for direct interaction, effectively evading detection and making it harder for defenders to remove the threat. By exploiting legitimate auto-start mechanisms, attackers can avoid triggering traditional security alerts, enabling them to persist within the environment and carry out further malicious activities.
By adding entries to Run Keys, malicious actors can execute their payloads, ensuring their programs activate during user logins and inherit the user's permissions for enhanced access.
The primary run keys targeted are as follows:
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
In addition to these, adversaries may exploit legacy entries, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx, to load additional components, including DLLs, during the logon process. While this key is not default on newer Windows systems, its presence in certain configurations provides an avenue for stealthy persistence.
Real-world malware campaigns illustrate how threat actors weaponize these registry keys. For example, identified in October 2025 by Picus Security researchers [1], the CABINETRAT malware achieves persistence by adding a new value under the Windows Registry's Run key, which is configured to launch cmd.exe.
|
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "New Value #1" /t REG_SZ /d "cmd.exe" |
The command above is designed to mimic creating a Registry autorun for cmd.exe because adding a Run value under HKCU\...\CurrentVersion\Run is the exact mechanism attackers use to persist a program to user logon. This ensures that a command prompt opens automatically each time the user logs in, allowing the attacker to maintain execution without manual intervention.
The Startup Folder technique exploits a commonly overlooked feature of Windows systems to maintain persistence, whereby malicious executables are embedded in directories that are automatically executed during user logon. This tactic is effective because Windows inherently checks these locations as part of the login process, ensuring that any files placed there are automatically launched. The persistence achieved through this vector is particularly useful for attackers, as it allows them to maintain access to the compromised system without requiring user interaction.
Windows provides two primary types of Startup Folders, each serving different scopes:
|
# Individual User Startup Folder C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup # System-wide Startup Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
Windows offers two types of Startup Folders. The first is the Individual User Startup Folder Menu\Programs\Startup, which targets individual user profiles.
The second is the System-wide Startup Folder found at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp, allowing attackers to affect all users on the system. By placing a malicious file in either of these folders, attackers can ensure that their payload is executed each time the system reboots, providing continuous access to the compromised system.
In a real-world example from September 2025, researchers revealed that attackers used a PowerShell script to install the AdaptixC2 beacon, which ensured its persistence by adding the malicious process to the Startup Folder [2].
|
$p="$env:APPDATA\Microsoft\Windows\update.ps1" |
The PowerShell script executed the following sequence of actions to maintain persistence: it created a shortcut in the Startup Folder at $env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\UserSync.lnk, which pointed to PowerShell, with the arguments set to execute the malicious script (update.ps1) silently in the background. The script would copy itself to the user's AppData folder and set up the shortcut to ensure execution upon the next user logon. Once set, the script would run automatically upon reboot, bypassing execution policies and making the beacon persist across system restarts.
In Windows, the following registry key is a multi‑string (REG_MULTI_SZ) configuration value that the Windows Session Manager service processes very early in the boot sequence.
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute |
By default, its only entry is:
|
autocheck autochk * |
This instructs Windows to run the file‑system integrity utility autochk.exe on any volume flagged as "dirty" after an improper shutdown. Because BootExecute is processed before the graphical shell and many user‑mode security controls are initialized, it provides a highly privileged code‑execution point during the system boot process.
Attackers can exploit this value by inserting additional commands, scripts, or executable paths into the multi‑string list. Unlike typical user‑logon persistence (e.g., Run keys or Startup Folder entries), malicious entries under BootExecute will run before logon and before many defensive products are fully operational, effectively giving the payload a chance to execute with elevated privileges at the earliest stage of OS initialization.
From a persistence standpoint, modifying BootExecute has several implications:
Adversaries may couple this technique with masquerading to blend malicious entries with legitimate ones (e.g., using benign‑looking strings or command paths) so that the modified BootExecute multi‑string appears normal during cursory inspection. When attackers do this, remote access tools (RATs), backdoors, or other components can launch automatically on every reboot, long before typical logon persistence vectors are triggered.
[1] S. Ö. Hacıoğlu, “CABINETRAT Malware Windows Targeted Campaign Explained,” Oct. 19, 2025. Available: https://www.picussecurity.com/resource/blog/cabinetrat-malware-windows-targeted-campaign-explained. [Accessed: Nov. 03, 2025]
[2] O. Lahiani and I. Cohen, “AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks,” Unit 42, Sep. 10, 2025. Available: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/. [Accessed: Dec. 11, 2025]