{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/startup-folder/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","startup-folder","windows","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may establish persistence on a system by placing malicious scripts or shortcuts in the Windows Startup folder. This folder contains programs that are executed during account logon, without user interaction. This technique allows adversaries to automatically execute malicious code each time a user logs in. The rule detects the creation of script files (e.g., .vbs, .js, .ps1) within the Startup folder, as well as script engines (wscript.exe, cscript.exe) creating files within this directory. The monitored file extensions include vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, and cmd. Successful exploitation can lead to persistent malware infections, unauthorized access, and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through various means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the Startup folder locations: \u003ccode\u003eC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u003c/code\u003e and \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious script (e.g., PowerShell script, VBScript, JavaScript).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script engine (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e) or another process to create or modify a file with a malicious script, within one of the Startup folders.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly copies a malicious script file into the Startup folder.\u003c/li\u003e\n\u003cli\u003eThe system is rebooted, or the user logs off and logs back on.\u003c/li\u003e\n\u003cli\u003eThe malicious script is automatically executed during the logon process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, enabling them to execute arbitrary commands, install malware, or perform other malicious activities on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows for persistent malware infections, unauthorized access, and further compromise of the system.  Attackers can use this persistence to maintain access to a compromised system even after reboots or credential changes. This can lead to data theft, system disruption, or further propagation of the attack within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Script Creation in Startup Folder\u0026quot; to your SIEM and tune for your environment based on the \u003ccode\u003efile_event\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging on Windows endpoints to collect the necessary event data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules above, focusing on unusual or unexpected script activity in the Startup folder.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized scripts and executables in the Startup folder.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-startup-folder-persistence/","summary":"This rule identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder, enabling adversaries to maintain persistence by placing malicious scripts or shortcuts in the Windows Startup folder, which are then executed during account logon.","title":"Detection of Persistent Scripts in the Startup Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-startup-folder-persistence/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Microsoft Office","Internet Explorer"],"_cs_severities":["medium"],"_cs_tags":["persistence","startup-folder","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious processes writing to the Windows Startup folder, a common persistence mechanism. The rule focuses on detecting file creation or modification within the Startup folder by processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eEQNEDT32.EXE\u003c/code\u003e, \u003ccode\u003eWINWORD.EXE\u003c/code\u003e, \u003ccode\u003eEXCEL.EXE\u003c/code\u003e, \u003ccode\u003ePOWERPNT.EXE\u003c/code\u003e, \u003ccode\u003eMSPUB.EXE\u003c/code\u003e, \u003ccode\u003eMSACCESS.EXE\u003c/code\u003e, \u003ccode\u003eiexplore.exe\u003c/code\u003e, and \u003ccode\u003eInstallUtil.exe\u003c/code\u003e. These processes, while legitimate, are often abused by adversaries to establish persistence. The rule is designed to detect this behavior across various Windows environments and utilizes EQL for efficient detection. The detection logic was last updated on April 7, 2026. This activity is a common persistence technique, and detecting it can prevent attackers from maintaining long-term access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, often through methods like phishing or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a commonly abused process, such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e, to write a malicious file to the Startup folder.\u003c/li\u003e\n\u003cli\u003eThe malicious file could be a script, executable, or shortcut designed to execute upon user login or system startup.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Startup folder to automatically execute their malicious payload without user interaction.\u003c/li\u003e\n\u003cli\u003eUpon the next user login or system startup, the malicious file is executed by \u003ccode\u003eexplorer.exe\u003c/code\u003e, initiating the attacker's payload.\u003c/li\u003e\n\u003cli\u003eThe payload establishes a connection to a command-and-control server for further instructions and exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the compromised system, allowing them to perform malicious activities such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to persistent access for the attacker, enabling them to perform various malicious activities such as data exfiltration, deployment of ransomware, or further compromise of the network. The impact can range from data breaches and financial loss to disruption of business operations. While the number of victims is variable, the sectors most commonly targeted include government, finance, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your environment to detect suspicious processes writing to the Startup folder.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and modification logging to capture the necessary events for the provided Sigma rules to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if the activity is legitimate or malicious as outlined in the rule's documentation.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes such as cmd.exe, powershell.exe, wmic.exe and others writing files to the paths \u0026quot;C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*\u0026quot; and \u0026quot;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*\u0026quot;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/","summary":"This rule identifies files written to or modified in the startup folder by commonly abused processes on Windows systems, a technique adversaries use to maintain persistence by automatically executing malicious programs upon user login or system startup.","title":"Startup Folder Persistence by Suspicious Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Startup-Folder","version":"https://jsonfeed.org/version/1.1"}