DET0365 Detect Registry and Startup Folder Persistence (Windows)

Item	Value
ID	DET0365
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.001 (Registry Run Keys / Startup Folder)

Analytics

Windows

AN1032

Correlation of Registry key creation/modification events under known Run/Startup keys with new or unusual binary paths or script-based payloads. Multi-event detection includes registry modification followed by process execution from non-standard directories or abnormal parent-child process relationships.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
File Creation (DC0039)	WinEventLog:Microsoft-Windows-Shell-Core	New startup folder shortcut or binary placed in Startup directory

Mutable Elements

Field	Description
ImagePath	Full path of the binary/script being registered in Run keys. Tunable to exclude known software baselines.
RegistryKeyPath	Tunable list of startup-related registry keys to monitor more/less aggressively based on enterprise software context.
TimeWindow	Correlate registry key creation and process execution within this window. Defaults between 5–10 minutes.
UserContext	Filter for specific user SIDs or exclude known admin/script accounts.