Esc
Registry Run Keys / Startup Folder - T1547.001

(ATT&CK® Technique)
Definition

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1547001["Registry Run Keys / Startup Folder"] --> |may-modify| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1547001 OffensiveTechniqueNode;
        class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";
        click T1547001 href "/offensive-technique/attack/T1547.001/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; T1547001["Registry Run Keys / Startup Folder"] --> |may-modify| UserStartupScriptFile["User Startup Script File"]; class T1547001 OffensiveTechniqueNode;
        class UserStartupScriptFile ArtifactNode; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile";
        click T1547001 href "/offensive-technique/attack/T1547.001/"; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | UserStartupScriptFile["User Startup Script File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1547001["Registry Run Keys / Startup Folder"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | UserStartupScriptFile["User Startup Script File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1547001["Registry Run Keys / Startup Folder"] ;
          class FileEviction DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           DecoyFile["Decoy File"] -->
          | spoofs | UserStartupScriptFile["User Startup Script File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1547001["Registry Run Keys / Startup Folder"] ;
          class DecoyFile DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | UserStartupScriptFile["User Startup Script File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1547001["Registry Run Keys / Startup Folder"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | UserStartupScriptFile["User Startup Script File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1547001["Registry Run Keys / Startup Folder"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";                           FileEncryption["File Encryption"] -->
          | encrypts | UserStartupScriptFile["User Startup Script File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1547001["Registry Run Keys / Startup Folder"] ;
          class FileEncryption DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | UserStartupScriptFile["User Startup Script File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1547001["Registry Run Keys / Startup Folder"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | UserStartupScriptFile["User Startup Script File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1547001["Registry Run Keys / Startup Folder"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                           ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | UserStartupScriptFile["User Startup Script File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1547001["Registry Run Keys / Startup Folder"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";              RestoreFile["Restore File"] -->
          | restores | UserStartupScriptFile["User Startup Script File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1547001["Registry Run Keys / Startup Folder"] ;
          class RestoreFile DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1547001["Registry Run Keys / Startup Folder"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationInitDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                                         FileAnalysis["File Analysis"] -->
          | analyzes | UserStartupScriptFile["User Startup Script File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1547001["Registry Run Keys / Startup Folder"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
          | analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];

          SystemInitConfigAnalysis["System Init Config Analysis"] -.->
            | may-detect | T1547001["Registry Run Keys / Startup Folder"] ;
          class SystemInitConfigAnalysis DefensiveTechniqueNode;
          class SystemConfigurationInitDatabaseRecord ArtifactNode;
          click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis";                           RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | UserStartupScriptFile["User Startup Script File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1547001["Registry Run Keys / Startup Folder"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class UserStartupScriptFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json