Suspicious Process Writing to Startup Folder for Persistence

Attackers often leverage the Windows Startup folder to maintain persistence, as any executable placed in this folder will automatically run when a user logs into the system. This technique is particularly effective because it requires no user interaction and can easily be automated. This rule detects when processes commonly abused by attackers, such as cmd.exe, powershell.exe, or mshta.exe, write or modify files within the Startup folders. The rule focuses on identifying unauthorized persistence mechanisms and helps defenders uncover potentially compromised systems. By monitoring file creation events in the Startup folders by suspicious processes, this detection aims to catch malicious activity early in the attack chain.

Attack Chain

1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker executes a command shell (e.g., cmd.exe, powershell.exe) on the compromised system.
3. The attacker uses the command shell to write a malicious executable or script file to one of the Windows Startup folders (C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\* or C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*).
4. The attacker modifies the file attributes (e.g., using attrib.exe) to hide the file or make it more difficult to detect.
5. The attacker schedules a reboot or waits for the user to log off and back on.
6. Upon user logon, the malicious executable or script in the Startup folder is automatically executed.
7. The malicious code establishes persistence, potentially downloading additional payloads or establishing a command and control (C2) channel.
8. The attacker maintains persistent access to the compromised system, enabling further malicious activities such as data theft or lateral movement.

Impact

Successful exploitation leads to persistent access on the compromised system, allowing attackers to maintain their foothold even after system reboots. This can lead to data exfiltration, installation of ransomware, or further propagation within the network. The number of affected systems depends on the scope of the initial compromise and the attacker’s ability to move laterally. Sectors commonly targeted by persistence techniques include finance, healthcare, and government.

Recommendation

• Enable Sysmon Event ID 11 (File Create) to capture file creation events, as referenced in the setup instructions.
• Deploy the Sigma rule Suspicious Process Writing to Startup Folder to your SIEM to detect suspicious processes creating files in the startup folder, and tune for your environment.
• Investigate any alerts generated by the Sigma rule to determine if the activity is malicious, referencing the investigation guide.
• Block the processes listed in the rule (cmd.exe, powershell.exe, etc.) from writing to the startup folders if legitimate use is not required.