Windows Autostart Persistence via Startup Folder
Adversaries commonly leverage file creation in the Windows `%startup%` folder (T1547.001) to establish persistence, ensuring malicious code executes automatically upon system boot or user logon, potentially leading to system compromise and unauthorized access.
This threat brief details a common persistence technique where adversaries create malicious files within the Windows %startup% folder. This method, categorized under MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Startup Folder), ensures that attacker-controlled code automatically executes whenever the system boots or a user logs in. While the specific threat actor or delivery mechanism is not detailed in this particular intelligence, the technique is widely adopted by various malware families and adversaries, including those associated with XWorm and Chaos Ransomware campaigns. Detection of such activity is crucial as it signifies established foothold and continued unauthorized access, potentially leading to further system compromise and data exfiltration.
Attack Chain
- Initial Access is gained by the adversary through an unspecified method (e.g., phishing, exploit).
- The adversary then executes a command or process to place a malicious executable or script (e.g.,
malware.exe,script.vbs, or a shortcut.lnkfile) into the user's or system's Windows Startup folder. Common paths include%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\or%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\. - The malicious file is specifically crafted to serve as a persistence mechanism, often being a downloader, a remote access Trojan (RAT), or a component of ransomware.
- Upon the next system boot or user logon, the Windows operating system enumerates the contents of the Startup folder and automatically launches the newly placed malicious file.
- The automatically executed malicious code initiates its payload, which could involve establishing command and control (C2) communication, collecting system information, or dropping additional stages of malware.
- This successful execution provides the adversary with sustained access to the compromised endpoint, allowing for continued malicious operations even after system restarts or user logoffs.
Impact
If successful, the adversary gains persistent access to the compromised system, allowing for continued execution of malicious payloads. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive data, installation of additional malware (e.g., ransomware, stealers, remote access Trojans as seen with XWorm and Chaos Ransomware), lateral movement within the network, and complete system compromise. The prolonged presence significantly increases the risk of data exfiltration and disruption of business operations.
Recommendation
- Deploy the Sigma rule "Detect Windows Autostart Persistence via Startup Folder" in this brief to your SIEM and tune for your environment.
- Enable Sysmon Event ID 11 (FileCreate) logging on all Windows endpoints to ensure the necessary telemetry for this detection is collected.
- Implement application whitelisting or strong execution policies to prevent unauthorized executables from running from the
%startup%folder.
Detection coverage 1
Detect Windows Autostart Persistence via Startup Folder
mediumDetects the creation of files in the Windows Startup folder, a common technique for establishing persistence upon system boot or user logon (T1547.001).
Detection queries are available on the platform. Get full rules →