Skip to content
Threat Feed
high advisory

Suspicious Startup Shell Folder Modification

This rule detects suspicious modifications to the startup shell folder registry keys, potentially indicating an attempt to establish persistence by pointing to malicious executables and bypassing traditional defenses.

This rule detects suspicious modifications to Windows registry keys associated with startup shell folders. Adversaries may modify these keys to establish persistence, ensuring malicious programs execute upon system boot or user logon. The technique involves changing the default Startup directory path in the registry, which can allow attackers to bypass traditional detection mechanisms that monitor file creation in the standard Windows Startup folder. This activity often evades standard AV/EDR solutions. This rule focuses on detecting modifications that deviate from the legitimate startup folder paths. This activity is often used to gain elevated privileges for the attacker.

Attack Chain

  1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker executes code that modifies the Windows Registry.
  3. The attacker targets specific registry keys associated with the Startup shell folders, such as HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup or HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup.
  4. The attacker changes the registry.data.strings value of these keys to point to a non-standard or malicious location.
  5. A malicious executable is placed in the newly configured startup location.
  6. Upon system boot or user logon, the operating system reads the modified registry key.
  7. The operating system executes the malicious executable located in the attacker-defined startup path.
  8. The attacker achieves persistence, with the malicious code running automatically on each system start.

Impact

Successful exploitation allows attackers to establish persistence, ensuring their malicious code executes automatically upon system startup or user logon. This can lead to a wide range of consequences, including data theft, system compromise, and further propagation of malware within the network. The attacker can maintain long-term access to the compromised system, even after reboots.

Recommendation

  • Deploy the Sigma rule "Suspicious Startup Shell Folder Modification" to your SIEM to detect registry modifications to startup folders outside of standard paths (rule below).
  • Enable Sysmon registry event logging to capture registry modifications.
  • Investigate any alerts generated by this rule, focusing on the process making the changes and the destination path.
  • Correlate registry modification events with process execution events to identify malicious processes launched from the modified startup locations.

Detection coverage 2

Suspicious Startup Shell Folder Modification

high

Detects modifications to the Startup shell folder registry keys that deviate from standard paths, indicating potential persistence attempts.

sigma tactics: defense_evasion, persistence techniques: T1112, T1547.001 sources: registry_set, windows

Startup Folder Registry Modification - PowerShell

medium

Detects Registry modifications of startup folders with PowerShell

sigma tactics: defense_evasion, persistence techniques: T1112, T1547.001 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →