Drops script at startup location

calendar Mar 15, 2022  ยท
Share on: linkedin copy

Drops script at startup location

Sigma rule (View on GitHub)

 1title: Drops script at startup location
 2status: experimental
 3description: Drops script at startup location
 4author: Joe Security
 5date: 2020-04-07
 6id: 200071
 7threatname:
 8behaviorgroup: 1
 9classification: 7
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11        
16        TargetFilename:            
17            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.vbs*'
18            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.js*'
19            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.jse*'
20            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.bat*'
21            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.url*'
22            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.cmd*'
23            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.hta*'
24            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.ps1*'
25            - '*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.wsf*'
26    condition: selection
27level: critical
to-top