DET0312 Detect Active Setup Persistence via StubPath Execution

Item	Value
ID	DET0312
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.014 (Active Setup)

Analytics

Windows

AN0871

Multi-event correlation of Registry creation under Active Setup with anomalous execution of processes at user logon. Behavioral patterns include creation/modification of HKLM Active Setup keys with non-standard StubPath values, followed by process execution from uncommon paths, unsigned binaries, or unusual parent-child lineage post-user login.

Log Sources

Data Component	Name	Channel
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Windows Registry Key Creation (DC0056)	WinEventLog:Sysmon	EventCode=12

Mutable Elements

Field	Description
TimeWindow	Correlate registry change and process execution within a specific user logon session (e.g., 5–10 minutes)
ParentProcessName	Expected parent processes for Active Setup launched binaries (e.g., explorer.exe). Deviations may indicate abuse.
StubPathValueEntropy	Degree of randomness/uncommonness in StubPath values. High entropy may indicate obfuscation.
SignedBinaryStatus	Flag if launched binary in StubPath is unsigned or uncommon for baseline
RegistryKeyOwner	Check which user/context added the Active Setup key to detect privilege abuse