Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0274: Boot or Logon Autostart Execution Detection Strategy

DET0274 is a detection strategy for identifying boot or logon autostart execution behavior associated with ATT&CK technique T1547. In business terms, this...

EnterpriseDET0274Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0274 is a detection strategy for identifying boot or logon autostart execution behavior associated with ATT&CK technique T1547. In business terms, this matters because autostart mechanisms are a common way for an intruder to remain present after reboots or user logons, and in some cases may support privilege escalation. Leaders should treat coverage here as a persistence-resilience question: can the organization prove it would notice unauthorized changes to startup, login, or service-like execution paths across Windows, macOS, Linux, and network device environments where applicable?

Executive priority

Prioritize this as a persistence and recovery control area. If attackers can establish autostart execution without detection, incident containment and eradication become harder because systems may re-compromise themselves after reboot or user login. Security leaders should ask whether SOC, IR, endpoint, identity, and configuration-management teams have evidence of baseline autostart locations, change monitoring, and investigation procedures for unauthorized startup execution. This is also useful audit evidence for demonstrating control over privileged configuration changes and operational resilience.

Technical view

MITRE provides this as a detection strategy object that detects T1547: Boot or Logon Autostart Execution, mapped to persistence and privilege-escalation tactics across Linux, macOS, Windows, and Network Devices. The object itself does not include an official detection analytic, so SOC and detection engineering teams should validate coverage against the related technique rather than assume DET0274 provides a complete rule. Focus on monitoring creation, modification, or abnormal execution of boot/logon autostart mechanisms, then correlate those changes with user context, privilege level, parent process, host role, administrative change windows, and known software deployment activity.

Likely telemetry

  • Endpoint process creation and command-line telemetry around programs launched at boot or user logon
  • Operating system configuration-change telemetry for autostart, login, service, daemon, scheduled, or equivalent startup mechanisms
  • File creation and modification events in startup-related paths or configuration locations
  • Registry or system database change events where applicable to the operating system
  • Authentication and logon events to correlate autostart activity with user sessions

Detection direction

  • Build or validate detections around unauthorized changes to boot and logon autostart locations rather than only alerting on execution after the fact.
  • Correlate autostart changes with administrative tools, software installation activity, patching windows, and approved change tickets to reduce false positives.
  • Baseline normal startup entries by operating system, host role, and business application; high-noise environments will need allowlisting and change-control context.
  • Prioritize alerts where new or modified autostart entries are created by unusual users, non-administrative contexts, unexpected parent processes, or shortly after suspicious logon or privilege activity.
  • Check for blind spots on non-Windows platforms and network devices, since the related ATT&CK technique explicitly includes Linux, macOS, Windows, and Network Devices, while the detection strategy object does not provide platform-specific analytics.

Mitigation priorities

  • Inventory and baseline approved boot and logon autostart mechanisms across supported platforms.
  • Restrict who can modify startup, service, daemon, login, or equivalent autostart configuration locations using least privilege and administrative change control.
  • Use endpoint and configuration monitoring to alert on unauthorized or unexpected autostart changes.
  • Integrate startup-change alerts into incident response playbooks so containment includes persistence removal and reboot/logon validation.
  • Review privileged access, software deployment, and configuration-management processes to ensure legitimate changes are attributable and auditable.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or official detection text. The most useful context comes from its relationship to T1547, which identifies the behavior as boot or logon autostart execution used for persistence and privilege escalation across Linux, macOS, Windows, and Network Devices. Treat this Glexia take as coverage guidance and validation framing, not as a ready-to-deploy analytic.

No ATT&CK-provided analytic logic, data source list, detection pseudocode, or platform-specific implementation details were supplied for DET0274. Local environment baselines, endpoint telemetry availability, network device logging, and change-management context are required to determine actual detection coverage and tuning.

Official MITRE ATT&CK definition

Boot or Logon Autostart Execution Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1547 Boot or Logon Autostart Execution This object detects Boot or Logon Autostart Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1547: Boot or Logon Autostart Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a39b7e58e187d242...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a39b7e58e187…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0274
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use