LoFP / administrators may allow creation of script or exe in this path.

Techniques

• T1204
• T1204.002
• T1547
• T1547.001

Sample rules

Windows User Execution Malicious URL Shortcut File

• source: splunk
• technicques:
  • T1204.002
  • T1204

Description

This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.

Detection logic

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_user_execution_malicious_url_shortcut_file_filter`

Windows Boot or Logon Autostart Execution In Startup Folder

• source: splunk
• technicques:
  • T1547.001
  • T1547

Description

This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation.

Detection logic

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`