Suspicious Scripts in the Startup Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Adversaries may abuse the Windows Startup folder to maintain persistence in an environment. The Startup folder is a special folder in Windows where programs added to this folder are executed during account logon without user interaction. This rule identifies script engines (wscript.exe, cscript.exe) creating files or the creation of script files with specific extensions (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) in the Startup folder. The rule is designed for data generated by Elastic Defend and also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

An attacker gains initial access to a system.
The attacker creates a malicious script (e.g., VBScript, PowerShell) designed to execute arbitrary commands.
The attacker identifies the Startup folder path for a specific user or all users.
The attacker creates a shortcut file (e.g., .lnk) or a script file directly within the Startup folder.
The shortcut or script is configured to execute the malicious script.
The system is restarted or the user logs in.
The operating system automatically executes the script located in the Startup folder.
The malicious script executes, allowing the attacker to perform actions such as installing malware, establishing persistence, or exfiltrating data.

Impact

A successful attack leveraging the Startup folder persistence mechanism allows the attacker to maintain unauthorized access to a compromised system. This can lead to the execution of malicious code, installation of malware, data theft, and further compromise of the network. The impact is significant, potentially affecting all users who log into the system.

Recommendation

Deploy the Sigma rule “Detect Script Creation in Startup Directory” to your SIEM and tune for your environment to identify the creation of suspicious scripts in the Startup folder.
Deploy the Sigma rule “Detect Script Execution via Startup Directory” to your SIEM and tune for your environment to identify script execution from the Startup directory.
Enable Sysmon Event ID 11 (File Create) to collect necessary data for the detections above.
Investigate any alerts generated by these rules promptly to identify and remediate potential persistence attempts.
Block the file extensions listed in the rule query (vbs, vbe, wsh, wsf, js, jse, sct, hta, ps1, bat, cmd) from being written to the startup folder via application control policies where possible.

Suspicious Process Writing to Startup Folder for Persistence

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

Attackers often leverage the Windows Startup folder to maintain persistence, as any executable placed in this folder will automatically run when a user logs into the system. This technique is particularly effective because it requires no user interaction and can easily be automated. This rule detects when processes commonly abused by attackers, such as cmd.exe, powershell.exe, or mshta.exe, write or modify files within the Startup folders. The rule focuses on identifying unauthorized persistence mechanisms and helps defenders uncover potentially compromised systems. By monitoring file creation events in the Startup folders by suspicious processes, this detection aims to catch malicious activity early in the attack chain.

Attack Chain

The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
The attacker executes a command shell (e.g., cmd.exe, powershell.exe) on the compromised system.
The attacker uses the command shell to write a malicious executable or script file to one of the Windows Startup folders (C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\* or C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*).
The attacker modifies the file attributes (e.g., using attrib.exe) to hide the file or make it more difficult to detect.
The attacker schedules a reboot or waits for the user to log off and back on.
Upon user logon, the malicious executable or script in the Startup folder is automatically executed.
The malicious code establishes persistence, potentially downloading additional payloads or establishing a command and control (C2) channel.
The attacker maintains persistent access to the compromised system, enabling further malicious activities such as data theft or lateral movement.

Impact

Successful exploitation leads to persistent access on the compromised system, allowing attackers to maintain their foothold even after system reboots. This can lead to data exfiltration, installation of ransomware, or further propagation within the network. The number of affected systems depends on the scope of the initial compromise and the attacker’s ability to move laterally. Sectors commonly targeted by persistence techniques include finance, healthcare, and government.

Recommendation

Enable Sysmon Event ID 11 (File Create) to capture file creation events, as referenced in the setup instructions.
Deploy the Sigma rule Suspicious Process Writing to Startup Folder to your SIEM to detect suspicious processes creating files in the startup folder, and tune for your environment.
Investigate any alerts generated by the Sigma rule to determine if the activity is malicious, referencing the investigation guide.
Block the processes listed in the rule (cmd.exe, powershell.exe, etc.) from writing to the startup folders if legitimate use is not required.

Startup — CraftedSignal Threat Feed

Suspicious Scripts in the Startup Directory

Attack Chain

Impact

Recommendation

Suspicious Process Writing to Startup Folder for Persistence

Attack Chain

Impact

Recommendation