Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
Sigma rule (View on GitHub)
1title: Suspicious Startup Folder Persistence
2id: 28208707-fe31-437f-9a7f-4b1108b94d2e
3related:
4 - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
5 type: similar
6status: test
7description: |
8 Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
9 These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
10 This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
11references:
12 - https://github.com/last-byte/PersistenceSniper
13 - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
14 - https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
15author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2022-08-10
17modified: 2025-10-12
18tags:
19 - attack.privilege-escalation
20 - attack.execution
21 - attack.t1204.002
22 - attack.persistence
23 - attack.t1547.001
24logsource:
25 product: windows
26 category: file_event
27detection:
28 selection:
29 TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
30 TargetFilename|endswith:
31 # Add or remove suspicious extensions according to your env needs
32 - '.bat'
33 - '.cmd'
34 - '.dll'
35 - '.hta'
36 - '.jar'
37 - '.js'
38 - '.jse'
39 - '.msi'
40 - '.ps1'
41 - '.psd1'
42 - '.psm1'
43 - '.scr'
44 - '.url'
45 - '.vba'
46 - '.vbe'
47 - '.vbs'
48 - '.wsf'
49 condition: selection
50falsepositives:
51 - Rare legitimate usage of some of the extensions mentioned in the rule
52level: high
References
-
Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made w...
Read More -
Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious Autorun Registry Modified via WMI
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- ChromeLoader Malware Execution