Suspicious Scripts in the Startup Directory

Adversaries may abuse the Windows Startup folder to maintain persistence in an environment. The Startup folder is a special folder in Windows where programs added to this folder are executed during account logon without user interaction. This rule identifies script engines (wscript.exe, cscript.exe) creating files or the creation of script files with specific extensions (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) in the Startup folder. The rule is designed for data generated by Elastic Defend and also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

1. An attacker gains initial access to a system.
2. The attacker creates a malicious script (e.g., VBScript, PowerShell) designed to execute arbitrary commands.
3. The attacker identifies the Startup folder path for a specific user or all users.
4. The attacker creates a shortcut file (e.g., .lnk) or a script file directly within the Startup folder.
5. The shortcut or script is configured to execute the malicious script.
6. The system is restarted or the user logs in.
7. The operating system automatically executes the script located in the Startup folder.
8. The malicious script executes, allowing the attacker to perform actions such as installing malware, establishing persistence, or exfiltrating data.

Impact

A successful attack leveraging the Startup folder persistence mechanism allows the attacker to maintain unauthorized access to a compromised system. This can lead to the execution of malicious code, installation of malware, data theft, and further compromise of the network. The impact is significant, potentially affecting all users who log into the system.

Recommendation

• Deploy the Sigma rule “Detect Script Creation in Startup Directory” to your SIEM and tune for your environment to identify the creation of suspicious scripts in the Startup folder.
• Deploy the Sigma rule “Detect Script Execution via Startup Directory” to your SIEM and tune for your environment to identify script execution from the Startup directory.
• Enable Sysmon Event ID 11 (File Create) to collect necessary data for the detections above.
• Investigate any alerts generated by these rules promptly to identify and remediate potential persistence attempts.
• Block the file extensions listed in the rule query (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) from being written to the startup folder via application control policies where possible.