Skip to main content
Cyber Defense TacticsCyber Defense Tactics
HomeLearnResourcesBlogCommunity
Cyber Defense TacticsCyber Defense Tactics

Learn defensive security, leverage AI for cyber defense, and join a community of security professionals.

Learning

  • Blog
  • Resources
  • Newsletter

Community

  • Discord
  • YouTube
  • About

Legal

  • Privacy Policy
  • Terms of Service

© 2026 Cyber Defense Tactics. All rights reserved.

A Carbene.AI Project

Back to ATT&CK Hub
T1547

Boot or Logon Autostart Execution

Persistence
Featured

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence.

View on MITRE ATT&CK

Real-World Example

The Emotet malware creates registry run keys to ensure it executes every time the user logs in, maintaining persistence even after reboots.

Defense Strategies

  • Monitor registry run keys
  • Restrict modification of startup locations
  • Application whitelisting
  • Regular system audits

Detection Methods

  • Monitor registry modifications
  • Track startup folder changes
  • Correlate with new file creation
  • Baseline normal autostart entries

Related Techniques in Persistence

T1053

Scheduled Task/Job

Ready to explore more techniques and join the community?