T1547.001Registry Run Keys / Startup Folder
T1547.001 — Registry Run Keys / Startup Folder is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 39 detection use cases covering it and 22 threat-intel articles citing it.
PersistencePrivilege Escalation
39Use cases
22Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1547 · Boot or Logon Autostart Execution
Use cases covering this technique (39)
Registry Keys Used For Persistence Windows Boot or Logon Autostart Execution In Startup Folder Windows NorthStar C2 Agent Execution Windows PowerShell MSIX Package Installation Windows Registry BootExecute Modification Windows Registry Modification for Safe Mode Persistence [LLM] File writes to sensitive paths by LangGraph Python/Node runtime [LLM] Registry Run-key persistence written by SPECTRALVIPER side-load chain Article-specific behavioural hunt — WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine [LLM] WinRAR CVE-2025-8088 — archive tool writes payload to user Startup folder [LLM] Startup LNK spawns cmd.exe → PowerShell in-memory DLL loader (GIFTEDCROOK chain) [LLM] axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging Article-specific behavioural hunt — Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a [LLM] PowerShower dropped to user Pictures folder as googleearth.ps1 Article-specific behavioural hunt — Tracking TamperedChef Clusters via Certificate and Code Reuse Article-specific behavioural hunt — Webworm: New burrowing techniques Article-specific behavioural hunt — Webworm: New burrowing techniques [LLM] Apache Camel JVM writing files to sensitive paths via camel-file (CVE-2026-47323 arbitrary file write) Article-specific behavioural hunt — Kimsuky targets organizations with PebbleDash-based tools [LLM] Kimsuky HelloDoor 'tdll' Run-key persistence with regsvr32 loader [LLM] Kimsuky httpMalice persistence: 'Everything 1.9a-/1.8a-' Run-key or CacheDB service install Article-specific behavioural hunt — FrostyNeighbor: Fresh mischief and digital shenanigans Article-specific behavioural hunt — FrostyNeighbor: Fresh mischief and digital shenanigans [LLM] IoliteLabs Stage-2 regsvr32 LOLbin loading ntuser DLL from fake Chrome\ChromeUpdate path Article-specific behavioural hunt — TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package [LLM] msbuild.exe dropped to Startup folder (TeamPCP telnyx Windows persistence) Article-specific behavioural hunt — Popular telnyx package compromised on PyPI by TeamPCP [LLM] TeamPCP msbuild.exe persistence in user Startup folder [LLM] ValleyRAT registry-resident shellcode (HKCU\Console\0|1) and MyPythonApp Run-key persistence Article-specific behavioural hunt — GlassWorm Hides a RAT Inside a Malicious Chrome Extension [LLM] GlassWorm Stage-3 RAT installation under %APPDATA%\QtCvyfVWKH\index.js [LLM] GlassWorm Stage-3a UpdateLedger Run-key persistence pointing at %TEMP%\SKuyzYcDD.exe [LLM] Glassworm stage-3 persistence: schtasks UpdateApp + HKCU Run DPKCbbQ [LLM] DRILLAPP variant 1 persistence: LNK file written to user Startup folder by non-Explorer process [LLM] PlugX persistence — Run key 'G DATA' pointing to C:\Users\Public\GDatas\Avk.exe [LLM] MuddyViper persistence via ManageOnDriveUpdater scheduled task or Startup folder hijack [LLM] WinRAR CVE-2025-8088 path traversal — payload dropped to user Startup folder [LLM] Archive utility writing LNK/DLL/EXE to Windows Startup folder (RomCom CVE-2025-8088) [LLM] SnakeStealer Startup-Folder Persistence (ageless.vbs / .exe drop in Programs\Startup)Articles citing this technique (22)
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219