T1547.014 Active Setup is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to a Windows feature that automatically executes specific programs or scripts during user login, primarily used to configure user profiles upon the first login.
Active Setup allows for the execution of code tailored to each user profile, ensuring that necessary configuration steps are performed when a user logs into their system for the first time. This mechanism is often used for legitimate tasks such as setting up user-specific configurations or initializing user-related settings but can also be exploited for other purposes.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Active Setup is a Windows mechanism originally designed to execute commands once per user account during their first login after software installation. Adversaries exploit this legitimate functionality to establish persistence by ensuring their malicious code executes automatically whenever any user logs into the compromised system.
The Active Setup mechanism operates through a specific registry location:
|
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ |
Each subkey under this path represents a component that should be executed during user login.
Within each component subkey, adversaries manipulate specific values:
Basic Persistence Setup
In the basic persistence step up case, an adversary would create a new subkey with a GUID or legitimate-sounding name:
|
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{malicious-guid} |
Then populate the StubPath value with their payload:
|
StubPath = "C:\path\to\malware.exe" |
Or execute commands directly:
|
StubPath = "cmd.exe /c powershell.exe -WindowStyle Hidden -Command <encoded_payload>" |
Execution Flow
When a user logs in, Windows checks Active Setup components in HKLM against a per-user tracking location:
|
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\ |
If the HKLM version is newer than (or doesn't exist in) the HKCU location, Windows executes the StubPath command and updates the user's registry to prevent re-execution.
An example malware sample from December 2025 using this technique can be found here:
|
SHA-256; 845d1e3825790109ec90c6c2ee6c2e95b971780448d2e18bd855c421de8de4fe |
For example, in a malware sample analyzed in January 2024 within a sandbox environment, a malicious StubPath was observed pointing to [1]:
|
C:\Program Files\Chromnius\Application\118.0.5951.0\Installer\chrmstp.exe |
|
SHA-256*: 94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de |
Another example is coming from the backdoor trojan Poisonivy, which uses this technique for persistence. Detected by Microsoft Defender Antivirus as Backdoor:Win32/Poisonivy.E, Poisonivy is known for unauthorized access and control capabilities. It modifies the registry to ensure automatic execution:
|
reg add "HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>" /v "StubPath" /d "c:\windows:svvchost.exe" /f |
This command adds a StubPath value pointing to c:\windows:svvchost.exe, a malicious executable. When a user logs in, this executable is automatically launched, allowing Poisonivy to maintain persistence and control over the machine. The trojan further hides its presence by injecting itself into processes like iexplore.exe, evading firewall detection and executing commands received from a remote server.
The Active Setup attack technique, characterized by the abuse of inherent system features, presents a significant challenge for mitigation through preventive controls. Since it leverages legitimate functionalities and processes of the operating system, distinguishing between normal and malicious use becomes complex. Standard preventive measures may not effectively counteract these tactics without potentially impacting regular system operations, necessitating a more nuanced approach to detection and response.
[1] Joe Security LLC, “Automated Malware Analysis Report for Setup.exe - Generated by Joe Sandbox,” Joe Security LLC. Available: https://www.joesandbox.com/analysis/1372254/0/html. [Accessed: Dec. 16, 2024]