DET0312: Detect Active Setup Persistence via StubPath Execution
DET0312 is a detection strategy for finding abuse of Windows Active Setup persistence through StubPath execution. The business significance is that this be...
Analyst context for executives and security teams
DET0312 is a detection strategy for finding abuse of Windows Active Setup persistence through StubPath execution. The business significance is that this behavior can cause code to run when a user logs in, making it relevant to workstation resilience, identity context, and incident response scoping after suspected persistence.
Executive priority
Security leaders should treat this as a control-validation item for Windows endpoint persistence coverage. The key decision is whether the SOC can prove it sees suspicious Active Setup registry changes and the resulting logon-time execution, because missing this can complicate containment and recovery during endpoint incidents.
Technical view
The supplied relationship maps this detection strategy to ATT&CK T1547.014 Active Setup, associated with persistence and privilege escalation on Windows. SOC and detection teams should validate visibility into Active Setup-related registry changes, StubPath values, user logon activity, and subsequent process execution under the logging-in user's context. Because no official detection logic is supplied, local engineering should focus on correlating registry modification with later logon-triggered process execution and separating expected enterprise software setup behavior from unauthorized persistence.
Likely telemetry
- Windows registry creation/modification events for Active Setup-related keys and StubPath values
- User logon/session activity on Windows endpoints
- Process creation telemetry for programs launched after user logon
- Endpoint detection and response events tied to registry persistence and process execution
- Asset, user, and software inventory context to distinguish approved setup activity from unusual changes
Detection direction
- Validate that endpoint and SIEM telemetry captures both the registry change and the later execution event, not just one side of the behavior.
- Baseline legitimate Active Setup usage from approved software deployment and profile initialization to reduce false positives.
- Prioritize alerts where a newly created or modified StubPath leads to unexpected process execution at user logon.
- Include user context, host role, software-change history, and timing in triage to distinguish administrative activity from persistence.
- Document blind spots where registry auditing, process creation logging, or endpoint coverage is absent on Windows systems.
Mitigation priorities
- Ensure Windows endpoints have sufficient registry and process telemetry enabled and forwarded for investigation.
- Limit unnecessary administrative rights and enforce change control around software or configuration mechanisms that can write persistence-related registry entries.
- Use approved software deployment processes so legitimate Active Setup changes are predictable and auditable.
- Prepare IR procedures to identify, validate, and remove unauthorized Active Setup persistence during endpoint containment and recovery.
- Track coverage as compliance and resilience evidence for endpoint persistence monitoring.
Analyst notes and limits
This take is based on the detection strategy name and its ATT&CK relationship to T1547.014 Active Setup. The official object does not provide a description, detection analytic, platforms, or tactics; the Windows, persistence, and privilege-escalation context comes from the related ATT&CK technique.
No official detection logic, data components, query examples, or mitigation text were supplied. Local registry paths, allowed software behavior, logging configuration, and endpoint tooling must be validated in the environment before judging coverage.
Detect Active Setup Persistence via StubPath Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.014 | Active Setup Sub-technique | This object detects Active Setup. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f4515745b448… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0312Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.