Suspicious Startup Shell Folder Modification

This detection identifies suspicious modifications to the Windows Startup shell folder, a technique often employed to evade security measures that monitor file creation in the default Windows Startup folder. Attackers modify registry entries associated with the Startup folder to redirect the location where startup programs are executed. This bypasses traditional monitoring and allows malicious programs to persist and execute upon system startup without being detected. The rule focuses on detecting registry changes that deviate from the standard Startup folder paths, potentially indicating malicious intent. This is relevant for defenders because adversaries may attempt to modify shell folders to plant malicious programs.

Attack Chain

1. An attacker gains initial access to the system.
2. The attacker uses a process (e.g., powershell.exe, cmd.exe, or a custom executable) to modify the Windows Registry.
3. The attacker targets specific registry keys associated with the Startup shell folder, such as HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup or HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup.
4. The registry value for the Startup folder is changed to a non-standard path, such as a hidden directory or a user-writable location.
5. The attacker places a malicious executable, script, or shortcut in the newly designated Startup folder.
6. Upon system startup or user logon, the malicious program is executed from the redirected Startup folder.
7. The malicious program performs its intended actions, such as establishing persistence, gathering sensitive information, or deploying additional malware.

Impact

Successful modification of the Startup shell folder can allow attackers to establish persistent access to a compromised system, bypassing traditional security measures. This can lead to data theft, system compromise, and further propagation of malware within the network. The number of victims depends on the scope of the initial compromise and the attacker’s objectives. The sectors targeted can vary widely, as this technique is applicable across different industries and environments.

Recommendation

• Enable registry monitoring to capture modifications to the Startup shell folder (Data Source: Sysmon).
• Deploy the Sigma rule Detect Suspicious Startup Shell Folder Modification to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the process that modified the registry, the new Startup folder path, and any files created in that folder (Sigma rule, registry logs).
• Monitor file creation events in the redirected Startup folder for any suspicious executables, scripts, or shortcuts (file_event logs).