Suspicious Startup Folder Persistence
Detects when a file with a suspicious extension is created in the startup folder
Sigma rule (View on GitHub)
1title: Suspicious Startup Folder Persistence
2id: 28208707-fe31-437f-9a7f-4b1108b94d2e
3related:
4 - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
5 type: similar
6status: test
7description: Detects when a file with a suspicious extension is created in the startup folder
8references:
9 - https://github.com/last-byte/PersistenceSniper
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/10
12modified: 2023/01/06
13tags:
14 - attack.persistence
15 - attack.t1547.001
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
22 TargetFilename|endswith:
23 # Add or remove suspicious extensions according to your env needs
24 - '.vbs'
25 - '.vbe'
26 - '.bat'
27 - '.ps1'
28 - '.hta'
29 - '.dll'
30 - '.jar'
31 - '.msi'
32 - '.scr'
33 - '.cmd'
34 condition: selection
35falsepositives:
36 - Rare legitimate usage of some of the extensions mentioned in the rule
37level: high
References
-
Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made w...
Read More
Related rules
- Potential Suspicious Activity Using SeCEdit
- Common Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification
- Narrator's Feedback-Hub Persistence