{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/startup/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","startup","windows","attack.persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Startup folder to maintain persistence in an environment. The Startup folder is a special folder in Windows where programs added to this folder are executed during account logon without user interaction. This rule identifies script engines (wscript.exe, cscript.exe) creating files or the creation of script files with specific extensions (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) in the Startup folder. The rule is designed for data generated by Elastic Defend and also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious script (e.g., VBScript, PowerShell) designed to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the Startup folder path for a specific user or all users.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a shortcut file (e.g., .lnk) or a script file directly within the Startup folder.\u003c/li\u003e\n\u003cli\u003eThe shortcut or script is configured to execute the malicious script.\u003c/li\u003e\n\u003cli\u003eThe system is restarted or the user logs in.\u003c/li\u003e\n\u003cli\u003eThe operating system automatically executes the script located in the Startup folder.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, allowing the attacker to perform actions such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging the Startup folder persistence mechanism allows the attacker to maintain unauthorized access to a compromised system. This can lead to the execution of malicious code, installation of malware, data theft, and further compromise of the network. The impact is significant, potentially affecting all users who log into the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Creation in Startup Directory\u0026rdquo; to your SIEM and tune for your environment to identify the creation of suspicious scripts in the Startup folder.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution via Startup Directory\u0026rdquo; to your SIEM and tune for your environment to identify script execution from the Startup directory.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to collect necessary data for the detections above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to identify and remediate potential persistence attempts.\u003c/li\u003e\n\u003cli\u003eBlock the file extensions listed in the rule query (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) from being written to the startup folder via application control policies where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-startup-folder-persistence/","summary":"This rule identifies script engines creating files or the creation of script files in the Windows Startup folder, a persistence technique used by adversaries to automatically execute scripts upon user login.","title":"Suspicious Scripts in the Startup Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-startup-folder-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","startup","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers often leverage the Windows Startup folder to maintain persistence, as any executable placed in this folder will automatically run when a user logs into the system. This technique is particularly effective because it requires no user interaction and can easily be automated. This rule detects when processes commonly abused by attackers, such as cmd.exe, powershell.exe, or mshta.exe, write or modify files within the Startup folders. The rule focuses on identifying unauthorized persistence mechanisms and helps defenders uncover potentially compromised systems. By monitoring file creation events in the Startup folders by suspicious processes, this detection aims to catch malicious activity early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command shell (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to write a malicious executable or script file to one of the Windows Startup folders (\u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the file attributes (e.g., using \u003ccode\u003eattrib.exe\u003c/code\u003e) to hide the file or make it more difficult to detect.\u003c/li\u003e\n\u003cli\u003eThe attacker schedules a reboot or waits for the user to log off and back on.\u003c/li\u003e\n\u003cli\u003eUpon user logon, the malicious executable or script in the Startup folder is automatically executed.\u003c/li\u003e\n\u003cli\u003eThe malicious code establishes persistence, potentially downloading additional payloads or establishing a command and control (C2) channel.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system, enabling further malicious activities such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistent access on the compromised system, allowing attackers to maintain their foothold even after system reboots. This can lead to data exfiltration, installation of ransomware, or further propagation within the network. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally. Sectors commonly targeted by persistence techniques include finance, healthcare, and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to capture file creation events, as referenced in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Process Writing to Startup Folder\u003c/code\u003e to your SIEM to detect suspicious processes creating files in the startup folder, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious, referencing the \u003ca href=\"#note\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eBlock the processes listed in the rule (\u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, etc.) from writing to the startup folders if legitimate use is not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-startup-persistence/","summary":"Adversaries may establish persistence by writing malicious files to the Windows Startup folder, allowing them to automatically execute upon user logon; this detection identifies suspicious processes creating files in these locations.","title":"Suspicious Process Writing to Startup Folder for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-startup-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Startup","version":"https://jsonfeed.org/version/1.1"}