T1547.014: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.[1] These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.[2][3][4][5][6]
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Analyst context for executives and security teams
Active Setup is a Windows logon mechanism that can be abused to make code run whenever a user signs in. For leaders, the risk is not just “another registry persistence trick”; it is a way for an intruder to survive reboots and re-enter operations under the permissions of the logging-in user. Because the technique is tied to normal Windows behavior, organizations need evidence that endpoint telemetry can distinguish expected Active Setup components from suspicious StubPath entries.
Executive priority
Prioritize this as a Windows persistence and privilege-escalation validation item. Ask whether SOC and incident response teams can identify newly created or modified Active Setup registry keys, especially under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\, and whether they can connect those changes to logon-time execution. This matters for resilience because persistence that triggers at user logon can extend dwell time, complicate containment, and weaken audit confidence if registry autorun locations are not monitored.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around Active Setup registry modifications and StubPath execution on Windows. The ATT&CK object has no official detection text, but the relationship to DET0312, “Detect Active Setup Persistence via StubPath Execution,” supports focusing on StubPath-based execution. Investigations should review whether entries masquerade as legitimate programs, whether the configured StubPath launches unexpected binaries or scripts, and whether execution occurs after user logon under that user’s permissions. Relationship context also notes PoisonIvy, a Windows remote access tool, has used this technique, so RAT-like post-compromise activity should be considered during triage without assuming attribution.
Likely telemetry
- Windows registry key creation and modification events for HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
- Registry value changes involving StubPath
- Process creation telemetry showing programs launched from Active Setup StubPath values
- User logon events correlated with subsequent StubPath process execution
- Endpoint inventory or autorun enumeration data, including tooling such as Autoruns where used operationally
Detection direction
- Baseline legitimate Active Setup Installed Components entries and monitor for new, rare, or recently modified StubPath values.
- Correlate StubPath registry changes with user logon and process creation to reduce false positives from legitimate software setup activity.
- Tune for masquerading risk: suspicious names, paths, or publishers that appear to imitate legitimate components should receive higher review priority.
- Validate whether endpoint logging captures both the registry change and the later execution event; missing either side can create a blind spot.
- Use DET0312 relationship context as a starting point for detection validation, while recognizing the supplied ATT&CK object does not include detailed official detection logic.
Mitigation priorities
- Restrict unnecessary administrative ability to modify HKLM autorun-related registry locations.
- Review and harden change control around software installation mechanisms that legitimately use Active Setup.
- Include Active Setup locations in endpoint persistence hunting, incident response collection, and autorun review procedures.
- During containment, inspect Active Setup StubPath entries before assuming reboot or user logoff/logon will clear persistence.
- Maintain compliance evidence showing monitoring or review of Windows logon autorun mechanisms where required by internal control frameworks.
Analyst notes and limits
This is a Windows-only ATT&CK sub-technique of Boot or Logon Autostart Execution, mapped to persistence and privilege escalation. The key decision point is whether defenders can prove visibility into Active Setup registry changes and the resulting user-context execution at logon. The supplied references show this mechanism is documented and has appeared in public reporting, including cases involving remote access tooling, but the take should be applied to local environment telemetry rather than treated as evidence of current activity.
The official ATT&CK detection field is not provided, and the related detection strategy is named but not detailed in the supplied fields. No specific mitigations, data sources, procedures, or active exploitation claims are included in the provided object. Local baselines are required because legitimate Windows and application setup activity can also use Active Setup.
Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.[1] These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.[2][3][4][5][6]
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution | This object subtechnique of Boot or Logon Autostart Execution. |
Groups, software, and campaigns
S0012: PoisonIvy
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d4c5c14e8e44… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Klein Active Setup 2010
Klein, H. (2010, April 22). Active Setup Explained. Retrieved December 18, 2020.
Open source URL -
[2]
Mandiant Glyer APT 2010
Glyer, C. (2010). Examples of Recent APT Persistence Mechanism. Retrieved December 18, 2020.
Open source URL -
[3]
Citizenlab Packrat 2015
Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved December 18, 2020.
Open source URL -
[4]
FireEye CFR Watering Hole 2012
Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024.
Open source URL -
[5]
SECURELIST Bright Star 2015
Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really Spreading through the Bright Star?. Retrieved December 18, 2020.
Open source URL -
[6]
paloalto Tropic Trooper 2016
Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.
Open source URL -
[7]
TechNet Autoruns
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Open source URL -
[8]
mitre-attack T1547.014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.