Active Setup Registry Autostart modification

Last updated on: March 10, 2026

In this page

About the rule
Rule journey
Rule Requirement
Detection
Future actions

Rule name	Rule type	Log sources	MITRE ATT&CK tags	Severity
Active Setup Registry Autostart modification	Standard	Sysmon, Windows	Persistence: Boot or Logon Autostart Execution - Active Setup (T1547.014) Privilege Escalation: Boot or Logon Autostart Execution - Active Setup (T1547.014)	Attention

About the rule

Rule Type

Standard

Rule Description

Identifies modification of Active Setup registry entries, a persistence mechanism that executes payloads for users at logon.

Why this rule?

Active Setup registry modification is a stealthy persistence technique that ensures malicious code executes automatically for every user who logs onto a Windows system, making it ideal for malware that needs to affect all users, spread across user profiles, or maintain persistence even when new accounts are created. Unlike common autostart locations that only affect the current user or require administrator privileges at every boot, Active Setup executes once per user account with elevated privileges, making it particularly dangerous for credential stealers, information-gathering malware, and corporate espionage tools. This technique is rarely used by legitimate software and is strongly associated with advanced persistent threats (APTs), banking trojans, and sophisticated malware families that require comprehensive user-level persistence across enterprise environments.

Severity

Attention

Rule journey

Attack chain scenario

Persistence → Active Setup Modification → User Logon → Payload Execution.

Impact

Persistent malware execution at every user logon, potential privilege escalation.

Rule Requirement

Prerequisites

Enable registry auditing or Sysmon Event ID 13 (Registry value modification).

Criteria


                            Action1: actionname = "Registry Event" AND ( OBJECTNAME contains "Microsoft\Active Setup\Installed Components" ) AND ( OBJECTNAME contains "Stubpath" OR OBJECTVALUENAME contains "Stubpath" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Boot or Logon Autostart Execution - Active Setup (T1547.014) Privilege Escalation: Boot or Logon Autostart Execution - Active Setup (T1547.014)

Future actions

Known False Positives

IT Admin might perform this action legitimately, recommended to add filter as required based on your environment.

Next Steps

Identification: Identify which credentials were stored in the registry.
Analysis: Determine if this configuration was authorized or malicious.
Response: Remove plaintext credentials from registry and rotate affected passwords.

Mitigation

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Resource Library

Expert Talks

SIEM basics

Cybersecurity glossary

Cloud Security

Academy

Documentation

Integrations