LoFP / fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate

Techniques

Sample rules

Startup Folder File Write

source: sigma
technicques:
- t1547
- t1547.001

Description

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_update:
- Image: C:\Windows\System32\wuauclt.exe
- TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\
filter_optional_onenote:
  Image|endswith: \ONENOTE.EXE
  TargetFilename|endswith: \Send to OneNote.lnk
selection:
  TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\StartUp