Understanding MITRE ATT&CK T1547

Boot or Logon Autostart Execution

MITRE ATT&CK technique T1547, known as Boot or Logon Autostart Execution, refers to a tactic used by attackers to maintain persistence on a compromised system. This technique exploits mechanisms that allow programs to start automatically when a computer boots up or when a user logs in. Attackers leverage this method to ensure their malware or unauthorized programs execute repeatedly without needing to re-establish access every time the system restarts. They often modify registry keys, add scheduled tasks, or place malicious files in startup directories to achieve persistence, making it difficult for organizations to detect and remove the threat.

Picus continues:

Adversaries are increasingly leveraging system settings to automatically execute programs during system startup or user logon, enabling persistent control or privilege escalation on compromised systems. This approach often exploits operating system mechanisms, such as special directories or configuration repositories like the Windows Registry. Notably, in the Red Report 2025, this technique has once again been ranked among the top ten most frequently used methods.

This marks the second consecutive year it has appeared in the top ten, underscoring its continued prevalence and effectiveness.¹

How T1547 Causes Problems for Organizations

This technique creates significant security risks for organizations in multiple ways. First, it allows attackers to maintain long-term access to a compromised system. Even if an organization removes a malware infection, an attacker using T1547 may still have a backdoor into the network, enabling further exploitation. Second, this persistence method can be used to reinfect systems. A piece of malware hidden in an autostart location can re-execute upon every reboot, causing continuous disruptions or data theft. Lastly, it can be leveraged for privilege escalation. If an attacker configures a malicious process to run with elevated privileges at startup, they can gain greater control over the system and potentially move laterally across the network, infecting additional machines.

This technique is multi-faceted, so take a look at the full Red Report for a full investigation of the different sub-techniques:

• T1547.001 Registry Run Keys / Startup Folder

• T1547.002 Authentication Package

• T1547.003 Time Providers

• T1547.004 Winlogon Helper

• DLL T1547.005 Security Support Provider

• T1547.006 Kernel Modules and Extensions

• T1547.007 Re-opened Applications

• T1547.008 LSASS Driver

• T1547.009 Shortcut Modification

• T1547.010 Port Monitors

• T1547.012 Print Processors

• T1547.013 XDG Autostart Entries

• T1547.014 Active Setup

• T1547.015 Login Items

Real-World Example of T1547 in Action

One of the most well-known instances of this technique being used in the wild occurred with the TrickBot malware. TrickBot, a banking trojan that evolved into a sophisticated malware-as-a-service platform, leveraged registry run keys and scheduled tasks to ensure it remained active on infected machines. Even when security teams attempted to remove the malware, its persistence mechanisms brought it back upon reboot. This made TrickBot particularly difficult to eradicate, allowing attackers to continue stealing sensitive financial data and enabling further infections with ransomware like Ryuk.

Strengthening Defenses Against T1547

Organizations can take several steps to mitigate the risk of this persistence technique. One effective strategy is to monitor and restrict changes to registry keys, scheduled tasks, and startup folders. Implementing endpoint detection and response (EDR) solutions can help identify unusual modifications to these areas and flag potential threats before they become persistent. Another crucial defense is to enforce the principle of least privilege (PoLP). By limiting administrative access, organizations can reduce the chances of an attacker modifying startup settings. Additionally, implementing application whitelisting ensures that only approved programs can run at startup, preventing unauthorized software from executing automatically.

Conclusion

MITRE ATT&CK T1547 presents a serious challenge for organizations due to its ability to provide long-term access, facilitate reinfection, and enable privilege escalation. Real-world threats like TrickBot have demonstrated the dangers of this technique and the difficulty in removing persistent malware once it takes hold. However, with proper monitoring, strict access controls, and proactive security policies, organizations can significantly reduce their exposure to this attack method and strengthen their defenses against persistent threats.

See the full report for a deep dive into each of the sub-techniques.²

1

The Red Report, p. 99

2

Ibid., p. 102—113