Techniques
Sample rules
Suspicious Startup Folder Persistence
- source: sigma
- technicques:
- t1204
- t1204.002
- t1547
- t1547.001
Description
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
Detection logic
condition: selection
selection:
TargetFilename|contains: \Windows\Start Menu\Programs\Startup\
TargetFilename|endswith:
- .bat
- .cmd
- .dll
- .hta
- .jar
- .js
- .jse
- .msi
- .ps1
- .psd1
- .psm1
- .scr
- .url
- .vba
- .vbe
- .vbs
- .wsf