Detectionmediumtest

Startup Folder File Write

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Wed Dec 032aa0a6b4-a865-495b-ab51-c28249537b75windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate