DET0365: Detect Registry and Startup Folder Persistence (Windows)
DET0365 matters because Windows Registry Run Keys and Startup Folder entries can turn a one-time compromise into recurring access whenever a user logs in....
Analyst context for executives and security teams
DET0365 matters because Windows Registry Run Keys and Startup Folder entries can turn a one-time compromise into recurring access whenever a user logs in. For leaders, the practical question is whether the organization can prove it would notice unauthorized autostart changes before they become persistent footholds for later incident activity.
Executive priority
Prioritize this as a resilience and incident-readiness control for Windows environments. The related ATT&CK technique, T1547.001, is associated with persistence and privilege escalation, so coverage helps validate endpoint visibility, change governance, SOC triage quality, and audit evidence around unauthorized startup behavior. Executives should ask whether teams can distinguish approved software autostarts from suspicious new entries and whether incident responders have enough historical evidence to determine when persistence was created and under which user context.
Technical view
The supplied detection strategy has no official detection text, so SOC and detection teams should anchor validation to the relationship with T1547.001: programs added to Registry Run Keys or Startup Folder locations execute when a user logs in and run in that user’s context. Validate collection and alerting for Windows autostart location changes, file creation in startup folders, registry value creation or modification tied to Run Keys, and subsequent process execution at user logon. Detection logic should account for legitimate software installers, enterprise management tools, and user-profile-specific startup behavior to reduce false positives.
Likely telemetry
- Windows Registry value creation and modification events for Run Key autostart locations
- File creation, modification, or replacement events in Startup Folder paths
- Process execution telemetry showing programs launched after user logon
- User logon context associated with the autostarted program
- Endpoint inventory or baseline data for approved startup entries
Detection direction
- Confirm telemetry exists before writing analytics; this strategy object does not provide official detection logic.
- Baseline known-good startup entries by host role, user population, and managed software stack.
- Alert on newly created or modified Registry Run Key and Startup Folder entries, especially when the referenced program is unusual for the user or host.
- Correlate autostart changes with nearby logon and process execution activity to support triage.
- Tune for expected installer, patching, and endpoint management activity to avoid excessive false positives.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging captures registry, file, process, and logon evidence relevant to autostart persistence.
- Maintain an approved baseline of startup entries and review deviations through change control.
- Apply least-privilege and software governance so unnecessary users and processes cannot casually introduce persistent startup behavior.
- Include Registry Run Key and Startup Folder checks in incident response containment and eradication playbooks.
- Use detection findings as compliance evidence for endpoint monitoring, change tracking, and persistence-hunting readiness.
Analyst notes and limits
This take is based on MITRE detection strategy DET0365 and its relationship to ATT&CK technique T1547.001, Registry Run Keys / Startup Folder. The material defensive value is in proving that endpoint teams can see and investigate unauthorized Windows autostart persistence, not merely that an alert exists.
The supplied detection strategy contains no official description, no official detection text, and no tactics or platforms on the strategy object itself. Windows, persistence, and privilege-escalation context come from the related T1547.001 technique and the strategy name. Local environment baselines are required to determine what is suspicious versus legitimate software behavior.
Detect Registry and Startup Folder Persistence (Windows)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | This object detects Registry Run Keys / Startup Folder. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ca670db030a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0365Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.