Skip to content

T1547.014 Active Setup

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.4 These programs will be executed under the context of the user and will have the account’s associated permissions level.

Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.27315

Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Item Value
ID T1547.014
Sub-techniques T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015
Tactics TA0003, TA0004
Platforms Windows
Permissions required Administrator
Version 1.0
Created 18 December 2020
Last Modified 22 March 2023

Procedure Examples

ID Name Description
S0012 PoisonIvy PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.859


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation