T1547 Boot or Logon Autostart Execution Technique Explained

What Is T1059 Boot or Logon Autostart Execution in MITRE ATT&CK?

T1059 Boot or Logon Autostart Execution is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to adversaries using system mechanisms to automatically execute programs or scripts at system boot or user logon. This technique allows attackers to maintain persistence by ensuring that malicious programs or scripts are triggered whenever the system is started or a user logs into the system.

Adversaries commonly abuse registry keys, startup folders, or other system configurations to achieve autostart execution. This method can be used to execute malicious code, deploy additional payloads, or ensure that attackers retain access after system restarts or user logins.

What Is Boot Logon and Auto Start Execution?

Boot Logon and Auto Start Execution are integral components of modern computing systems, functioning to streamline and manage the initiation of processes and applications during the startup phase of a computer and upon user login.

Boot Logon

Boot Logon encompasses the series of actions and procedures triggered when a computer is powered on and begins loading the operating system. This phase is crucial for setting up the computer's environment, involving the loading of

• the system's basic input/output system (BIOS),
• Unified Extensible Firmware Interface (UEFI),
• the initialization of hardware components, and
• the launching of essential operating system services.

The primary objective of Boot Logon is to ensure that the foundational elements of the system are correctly loaded and configured, providing a stable and operational platform for the user and any subsequent processes.

Auto Start Execution

Auto Start Execution, on the other hand, refers to the automatic launching of certain programs, scripts, or services either when a user logs into the system or under specific pre-set conditions. This feature enhances user convenience and system efficiency by ensuring that frequently used applications or essential system services, such as security software and system monitoring tools, are readily available without manual intervention. Auto Start Execution can be configured through various mechanisms within the operating system, including but not limited to specific registry keys in Windows environments, startup folders, or the creation of scheduled tasks.

Together, Boot Logon and Auto Start Execution form a critical part of the user experience and system functionality, enabling a seamless transition from system startup to operational readiness by automating the initiation of key processes and applications. While these features are designed with efficiency and user convenience in mind, they also demand careful management and oversight to prevent misuse, particularly in the context of unauthorized or malicious software seeking to exploit these mechanisms for persistence or unauthorized activities.

Adversary Use of T1547 Boot or Logon Autostart Execution

Adversaries can exploit Boot or Logon Autostart Execution mechanisms to achieve persistence, privilege escalation, and stealth in a compromised system. By leveraging these features, malicious actors can ensure their malware or tools are automatically executed whenever the system boots up or a user logs in. This can be particularly challenging to detect and remove, as the processes can embed themselves deeply within the system's normal operations.

Here are some common ways adversaries might use these mechanisms:

• Persistence: Malware can insert entries into places where Boot or Logon Autostart Execution is configured, such as the Windows Registry (e.g., Run, RunOnce keys), startup folders, or scheduled tasks. This ensures that the malware is launched every time the system starts or when a user logs in, maintaining the adversary's presence on the system.
• Privilege Escalation: Some autostart methods can be exploited to run code with higher privileges. For instance, if malware can write to an autostart location that is executed with administrative privileges, it can effectively escalate its privileges on the system.
• Stealth: By embedding themselves in normal boot or logon processes, malicious programs can operate under the guise of legitimate processes, making detection more difficult. This can be particularly effective if the malware mimics or replaces legitimate system files or services.
• Bypassing Security Software: Some malware targets autostart locations that are executed before certain security software, allowing the malware to run and potentially disable or evade detection by the security tools.
• Remote Control Execution: By ensuring their code is executed at startup or logon, adversaries can establish backdoors, enabling remote control over the system or allowing continuous surveillance and data exfiltration.
• Spreading and Lateral Movement: Some types of malware use autostart mechanisms to spread themselves across networks. For example, once they gain access to a system, they can add scripts or executables to autostart locations that will infect other systems on the network.

To defend against misuse of autostart features, it advised to restrict write access to these areas, use security software for detection, regularly audit autostart settings, and educate users about software risks.

Why T1547 Matters: Red Report 2026 Context

Adversaries increasingly abuse system startup and logon settings to ensure malicious programs execute automatically, allowing them to maintain persistence or escalate privileges on compromised systems. This is commonly achieved by exploiting operating system mechanisms such as startup directories or configuration repositories like the Windows Registry.

Ranked 9th in the Red Report 2025, this technique climbed to 7th in the Red Report 2026. Its third consecutive appearance in the top ten underscores its ongoing prevalence and reliability for attackers.

Sub-Techniques of T1547 Boot or Logon Autostart Execution Explained

The Boot or Logon Autostart Execution technique consists of 14 sub-techniques in MITRE ATT&CK v18.

This blog serves as a hub page for the T1547 Boot or Logon Autostart Execution technique within the MITRE ATT&CK framework. Each linked sub-technique page explains how the technique works, details adversary behavior, and includes real-world procedure examples observed in the wild, as documented in the Red Report.

• T1547.001 Registry Run Keys / Startup Folder in MITRE ATT&CK Explained
• T1547.002 Authentication Package in MITRE ATT&CK Explained
• T1547.003 Time Providers in MITRE ATT&CK Explained
• T1547.004 Winlogon Helper DLL in MITRE ATT&CK Explained
• T1547.005 Security Support Provider in MITRE ATT&CK Explained
• T1547.006 Kernel Modules and Extensions in MITRE ATT&CK Explained
• T1547.007 Re-opened Applications in MITRE ATT&CK Explained
• T1547.008 LSASS Driver in MITRE ATT&CK Explained
• T1547.009 Shortcut Modification in MITRE ATT&CK Explained
• T1547.010 Port Monitors in MITRE ATT&CK Explained
• T1547.012 Print Processors in MITRE ATT&CK Explained
• T1547.013 XDG Autostart Entries in MITRE ATT&CK Explained
• T1547.014 Active Setup in MITRE ATT&CK Explained
• T1547.015 Login Items in MITRE ATT&CK Explained

Validate Your Defenses Against the Red Report 2026 Threats