Skip to content

DET0274 Boot or Logon Autostart Execution Detection Strategy

Item Value
ID DET0274
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1547 (Boot or Logon Autostart Execution)

Analytics

Windows

AN0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
ParentProcessName Customize based on expected parent-child process lineage for autostarts
StartupRegistryPath May vary based on organization policy or installed software

Linux

AN0765

Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot

Log Sources
Data Component Name Channel
File Creation (DC0039) auditd:SYSCALL creat
File Modification (DC0061) auditd:SYSCALL write
Process Creation (DC0032) auditd:SYSCALL Execution of binaries located in /etc/init.d/ or systemd service paths
Mutable Elements
Field Description
FilePath Organizations may use different init systems or custom startup paths
UserContext Autostart scripts should run as root or system users; deviations are suspect

macOS

AN0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon

Log Sources
Data Component Name Channel
Service Metadata (DC0041) macos:unifiedlog Observed loading of new LaunchAgent or LaunchDaemon plist
File Modification (DC0061) macos:unifiedlog write
Process Creation (DC0032) macos:unifiedlog Execution of binary listed in newly modified LaunchAgent plist
Mutable Elements
Field Description
PlistKey Organizations may use specific keys or additional payload parameters
TimeWindow Tunable based on expected delay between plist write and execution