LoFP / rare legitimate usage of some of the extensions mentioned in the rule

Techniques

Sample rules

Suspicious Startup Folder Persistence

source: sigma
technicques:
- t1547
- t1547.001

Description

Detects when a file with a suspicious extension is created in the startup folder

Detection logic

condition: selection
selection:
  TargetFilename|contains: \Windows\Start Menu\Programs\Startup\
  TargetFilename|endswith:
  - .vbs
  - .vbe
  - .bat
  - .ps1
  - .hta
  - .dll
  - .jar
  - .msi
  - .scr
  - .cmd