Detectionmediumtest

Startup Folder File Write

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Wed Dec 032aa0a6b4-a865-495b-ab51-c28249537b75windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1547.001 · Registry Run Keys / Startup Folder

Related Rules

SimilarDetectionhigh

Suspicious Startup Folder Persistence

Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

2aa0a6b4-a865-495b-ab51-c28249537b75

Status

test

Level

medium

Type

Detection

Created

Sat May 02

Modified

Wed Dec 03

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1547.001

View on GitHub