Lateral Movement via Startup Folder
Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move
13laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Lateral Movement via Startup Folder"
20references = [
21 "https://www.mdsec.co.uk/2017/06/rdpinception/",
22 "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
23]
24risk_score = 73
25rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f"
26severity = "high"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Lateral Movement",
32 "Data Source: Elastic Endgame",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35 "Data Source: Microsoft Defender for Endpoint",
36 "Data Source: SentinelOne",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42file where host.os.type == "windows" and event.type in ("creation", "change") and
43
44 /* via RDP TSClient mounted share or SMB */
45 (process.name : "mstsc.exe" or process.pid == 4) and
46
47 file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
48 "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1021"
56name = "Remote Services"
57reference = "https://attack.mitre.org/techniques/T1021/"
58[[rule.threat.technique.subtechnique]]
59id = "T1021.001"
60name = "Remote Desktop Protocol"
61reference = "https://attack.mitre.org/techniques/T1021/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0008"
67name = "Lateral Movement"
68reference = "https://attack.mitre.org/tactics/TA0008/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1547"
73name = "Boot or Logon Autostart Execution"
74reference = "https://attack.mitre.org/techniques/T1547/"
75[[rule.threat.technique.subtechnique]]
76id = "T1547.001"
77name = "Registry Run Keys / Startup Folder"
78reference = "https://attack.mitre.org/techniques/T1547/001/"
79
80
81
82[rule.threat.tactic]
83id = "TA0003"
84name = "Persistence"
85reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated...
Read More -
Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.
Read More
Related rules
- Local Account TokenFilter Policy Disabled
- Microsoft Exchange Server UM Writing Suspicious Files
- NullSessionPipe Registry Modification
- Potential Remote Desktop Shadowing Activity
- RDP Enabled via Registry