Modify User Shell Folders Startup Value
Detect modification of the startup key to a path where a payload could be stored to be launched during startup
Sigma rule (View on GitHub)
1title: Modify User Shell Folders Startup Value
2id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
3status: test
4description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
7author: frack113
8date: 2022-10-01
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1547.001
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|contains: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
20 TargetObject|endswith: 'Startup' # cover Common Startup and Startup
21 # can use Details|contains: path if get too many FP
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Potential Suspicious Activity Using SeCEdit
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address