T1547Boot or Logon Autostart Execution
T1547 — Boot or Logon Autostart Execution is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 7 detection use cases covering it and 6 threat-intel articles citing it.
PersistencePrivilege Escalation
7Use cases
6Articles
14Sub-techniques
2Tactics
Sub-techniques (14)
T1547.014 · Active SetupT1547.002 · Authentication PackageT1547.006 · Kernel Modules and ExtensionsT1547.015 · Login ItemsT1547.008 · LSASS DriverT1547.010 · Port MonitorsT1547.012 · Print ProcessorsT1547.007 · Re-opened ApplicationsT1547.001 · Registry Run Keys / Startup FolderT1547.005 · Security Support ProviderT1547.009 · Shortcut ModificationT1547.003 · Time ProvidersT1547.004 · Winlogon Helper DLLT1547.013 · XDG Autostart Entries
Use cases covering this technique (7)
Windows Unsigned MS DLL Side-Loading [LLM] eBPF program load or pinned object created from non-system parent on Arch host [LLM] Atomic Arch rootkit — eBPF program load by AUR-build-chain descendant [LLM] macOS LaunchAgent Persistence — com.user.kitty-monitor.plist (Nx Console Compromise) [LLM] handler.lua dropped outside Algernon's configured web root (CVE-2026-45721 backdoor stage) [LLM] Mini Shai-Hulud persistence to ~/.claude/hooks and .vscode/tasks.json by node/npm/bun [LLM] Malicious '.github/workflows/discussion.yaml' workflow file created by npm/nodeArticles citing this technique (6)
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14