Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0764: Analytic 0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

EnterpriseAN0764AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Windows Run and RunOnce registry changes can affect what executes when a user logs on or a system starts. For leaders, the practical value is not the registry change alone, but whether the organization can correlate it with unusual process lineage and abnormal startup/logon execution. That correlation can help separate routine software behavior from activity that may threaten endpoint integrity and operational continuity.

Executive priority

Prioritize this as a Windows endpoint visibility and response-readiness check. Security leaders should ask whether SOC teams can prove they collect registry modification events, process parent-child relationships, and logon/startup execution evidence in one place. The control decision is whether current endpoint telemetry and analytic tuning can support timely triage without overwhelming analysts with legitimate software installer, updater, or administrator activity.

Technical view

For Windows environments, validate an analytic that correlates modifications to Run/RunOnce registry keys with abnormal parent-child process relationships and outlier execution during user logon or system startup. Because no official detection logic is supplied, teams should define local baselines for expected Run/RunOnce writers, expected child processes at startup, and common administrative or software-update patterns. IR teams should ensure alerts preserve enough context to answer: what registry value changed, which process made the change, what executed afterward, under which user, and whether the process chain is normal for that host or user population.

Likely telemetry

  • Windows registry key/value modification events for Run and RunOnce locations
  • Endpoint process creation telemetry with parent-child process relationships
  • User logon and system startup timing/context
  • Command-line, image path, signer, hash, user, and host metadata where available
  • Endpoint detection or system logs that can join registry activity to subsequent execution

Detection direction

  • Validate that registry modification telemetry and process creation telemetry can be correlated across the same host and time window.
  • Tune for abnormal parent-child relationships rather than alerting on every Run/RunOnce change, since legitimate installers, management tools, and updaters commonly modify startup entries.
  • Baseline expected startup/logon execution per host role and user group to identify outliers.
  • Ensure alert output includes the modified key/value, responsible process, parent process, user, timestamp, and any subsequent startup/logon execution context.
  • Review blind spots where registry auditing, endpoint telemetry, command-line capture, or log retention is incomplete.

Mitigation priorities

  • Maintain reliable Windows endpoint telemetry for registry changes, process creation, and logon/startup context before depending on this analytic operationally.
  • Reduce unnecessary startup execution paths through endpoint hardening and software governance where business operations allow.
  • Limit administrative privileges and software installation rights so fewer users and processes can create persistent startup entries.
  • Document approved installers, management agents, and update mechanisms to support faster SOC triage and lower false positives.
  • Use incident response playbooks that require validation of the registry entry, process lineage, user context, and business legitimacy before containment decisions.
Analyst notes and limits

ATT&CK provides this as a detection analytic, not as a technique description with full detection logic. The strongest use is as a coverage validation pattern: can the SOC correlate Run/RunOnce registry modifications with unusual process ancestry and outlier startup/logon execution on Windows systems? Local baselining is essential because many benign enterprise tools legitimately modify these keys.

The supplied object has no tactic, no relationship context, and no official detection procedure beyond the analytic description. It supports Windows-focused guidance only. Any conclusions about adversary use, campaign relevance, prevalence, impact, or guaranteed detection require additional local telemetry or threat intelligence not present in the supplied fields.

Official MITRE ATT&CK definition

Analytic 0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
40780363f8ee2d0a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 40780363f8ee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0764
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use