<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Startup-Folder - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/startup-folder/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/startup-folder/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Persistent Scripts in the Startup Directory</title><link>https://feed.craftedsignal.io/briefs/2024-01-startup-folder-persistence/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-startup-folder-persistence/</guid><description>This rule identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder, enabling adversaries to maintain persistence by placing malicious scripts or shortcuts in the Windows Startup folder, which are then executed during account logon.</description><content:encoded><![CDATA[<p>Attackers may establish persistence on a system by placing malicious scripts or shortcuts in the Windows Startup folder. This folder contains programs that are executed during account logon, without user interaction. This technique allows adversaries to automatically execute malicious code each time a user logs in. The rule detects the creation of script files (e.g., .vbs, .js, .ps1) within the Startup folder, as well as script engines (wscript.exe, cscript.exe) creating files within this directory. The monitored file extensions include vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, and cmd. Successful exploitation can lead to persistent malware infections, unauthorized access, and further compromise of the system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the target system through various means (e.g., phishing, exploitation of a vulnerability).</li>
<li>The attacker identifies the Startup folder locations: <code>C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\</code> and <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\</code>.</li>
<li>The attacker crafts a malicious script (e.g., PowerShell script, VBScript, JavaScript).</li>
<li>The attacker uses a script engine (e.g., <code>wscript.exe</code>, <code>cscript.exe</code>) or another process to create or modify a file with a malicious script, within one of the Startup folders.</li>
<li>Alternatively, the attacker directly copies a malicious script file into the Startup folder.</li>
<li>The system is rebooted, or the user logs off and logs back on.</li>
<li>The malicious script is automatically executed during the logon process.</li>
<li>The attacker achieves persistence, enabling them to execute arbitrary commands, install malware, or perform other malicious activities on the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows for persistent malware infections, unauthorized access, and further compromise of the system.  Attackers can use this persistence to maintain access to a compromised system even after reboots or credential changes. This can lead to data theft, system disruption, or further propagation of the attack within the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Script Creation in Startup Folder&quot; to your SIEM and tune for your environment based on the <code>file_event</code> and <code>process_creation</code> log sources.</li>
<li>Enable Sysmon file creation and process creation logging on Windows endpoints to collect the necessary event data for the Sigma rules above.</li>
<li>Investigate any alerts generated by the Sigma rules above, focusing on unusual or unexpected script activity in the Startup folder.</li>
<li>Consider implementing application control policies to restrict the execution of unauthorized scripts and executables in the Startup folder.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>startup-folder</category><category>windows</category><category>malware</category></item><item><title>Startup Folder Persistence by Suspicious Processes</title><link>https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/</guid><description>This rule identifies files written to or modified in the startup folder by commonly abused processes on Windows systems, a technique adversaries use to maintain persistence by automatically executing malicious programs upon user login or system startup.</description><content:encoded><![CDATA[<p>This detection rule identifies suspicious processes writing to the Windows Startup folder, a common persistence mechanism. The rule focuses on detecting file creation or modification within the Startup folder by processes such as <code>cmd.exe</code>, <code>powershell.exe</code>, <code>wmic.exe</code>, <code>mshta.exe</code>, <code>pwsh.exe</code>, <code>cscript.exe</code>, <code>wscript.exe</code>, <code>regsvr32.exe</code>, <code>RegAsm.exe</code>, <code>rundll32.exe</code>, <code>EQNEDT32.EXE</code>, <code>WINWORD.EXE</code>, <code>EXCEL.EXE</code>, <code>POWERPNT.EXE</code>, <code>MSPUB.EXE</code>, <code>MSACCESS.EXE</code>, <code>iexplore.exe</code>, and <code>InstallUtil.exe</code>. These processes, while legitimate, are often abused by adversaries to establish persistence. The rule is designed to detect this behavior across various Windows environments and utilizes EQL for efficient detection. The detection logic was last updated on April 7, 2026. This activity is a common persistence technique, and detecting it can prevent attackers from maintaining long-term access to compromised systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system, often through methods like phishing or exploiting vulnerabilities.</li>
<li>The attacker uses a commonly abused process, such as <code>powershell.exe</code> or <code>cmd.exe</code>, to write a malicious file to the Startup folder.</li>
<li>The malicious file could be a script, executable, or shortcut designed to execute upon user login or system startup.</li>
<li>The attacker leverages the Startup folder to automatically execute their malicious payload without user interaction.</li>
<li>Upon the next user login or system startup, the malicious file is executed by <code>explorer.exe</code>, initiating the attacker's payload.</li>
<li>The payload establishes a connection to a command-and-control server for further instructions and exfiltration.</li>
<li>The attacker gains persistent access to the compromised system, allowing them to perform malicious activities such as data theft or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to persistent access for the attacker, enabling them to perform various malicious activities such as data exfiltration, deployment of ransomware, or further compromise of the network. The impact can range from data breaches and financial loss to disruption of business operations. While the number of victims is variable, the sectors most commonly targeted include government, finance, and technology.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules provided below to your SIEM and tune them for your environment to detect suspicious processes writing to the Startup folder.</li>
<li>Enable Sysmon file creation and modification logging to capture the necessary events for the provided Sigma rules to function.</li>
<li>Investigate any alerts generated by these rules to determine if the activity is legitimate or malicious as outlined in the rule's documentation.</li>
<li>Monitor process execution events for processes such as cmd.exe, powershell.exe, wmic.exe and others writing files to the paths &quot;C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*&quot; and &quot;C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*&quot;.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>startup-folder</category><category>windows</category></item></channel></rss>