MITRE ATT&CK Technique
Description
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level. Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016) Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-12-18T16:33:13.098Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may achieve persistence by adding a Registry key '
'to the Active Setup of the local machine. Active Setup is a '
'Windows mechanism that is used to execute programs when a '
'user logs in. The value stored in the Registry key will be '
'executed after a user logs into the computer.(Citation: Klein '
'Active Setup 2010) These programs will be executed under the '
"context of the user and will have the account's associated "
'permissions level.\n'
'\n'
'Adversaries may abuse Active Setup by creating a key under '
'<code> HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed '
'Components\\</code> and setting a malicious value for '
'<code>StubPath</code>. This value will serve as the program '
'that will be executed when a user logs into the '
'computer.(Citation: Mandiant Glyer APT 2010)(Citation: '
'Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole '
'2012)(Citation: SECURELIST Bright Star 2015)(Citation: '
'paloalto Tropic Trooper 2016)\n'
'\n'
'Adversaries can abuse these components to execute malware, '
'such as remote access tools, to maintain persistence through '
'system reboots. Adversaries may also use '
'[Masquerading](https://attack.mitre.org/techniques/T1036) to '
'make the Registry entries look as if they are associated with '
'legitimate programs.',
'external_references': [{'external_id': 'T1547.014',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1547/014'},
{'description': 'Baumgartner, K., Guerrero-Saade, J. '
'(2015, March 4). Who’s Really '
'Spreading through the Bright Star?. '
'Retrieved December 18, 2020.',
'source_name': 'SECURELIST Bright Star 2015',
'url': 'https://securelist.com/whos-really-spreading-through-the-bright-star/68978/'},
{'description': 'Glyer, C. (2010). Examples of Recent '
'APT Persistence Mechanism. Retrieved '
'December 18, 2020.',
'source_name': 'Mandiant Glyer APT 2010',
'url': 'https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf'},
{'description': 'Kindlund, D. (2012, December 30). '
'CFR Watering Hole Attack Details. '
'Retrieved November 17, 2024.',
'source_name': 'FireEye CFR Watering Hole 2012',
'url': 'https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html'},
{'description': 'Klein, H. (2010, April 22). Active '
'Setup Explained. Retrieved December '
'18, 2020.',
'source_name': 'Klein Active Setup 2010',
'url': 'https://helgeklein.com/blog/2010/04/active-setup-explained/'},
{'description': 'Ray, V., et al. (2016, November 22). '
'Tropic Trooper Targets Taiwanese '
'Government and Fossil Fuel Provider '
'With Poison Ivy. Retrieved December '
'18, 2020.',
'source_name': 'paloalto Tropic Trooper 2016',
'url': 'https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'Scott-Railton, J., et al. (2015, '
'December 8). Packrat. Retrieved '
'December 18, 2020.',
'source_name': 'Citizenlab Packrat 2015',
'url': 'https://citizenlab.ca/2015/12/packrat-report/'}],
'id': 'attack-pattern--22522668-ddf6-470b-a027-9d6866679f67',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:31.226Z',
'name': 'Active Setup',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Bencherchali Nasreddine, @nas_bench, ELIT Security '
'Team (DSSD)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}