Detectionhightest

Modify User Shell Folders Startup Value

Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François Hubaut, Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Oct 01Updated Mon Jan 059c226817-8dc9-46c2-a58d-66655aafd7dcwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
        TargetObject|endswith:
            - '\Common Startup'
            - '\Startup'
    filter_main_details_null:
        Details: null
    filter_main_programdata_startup:
        Details|contains:
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_1:
        Details|contains:
            - '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_2:
        Details|contains|all:
            - 'C:\Users\'
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    # Apply more filters if new legitimate paths are identified
    condition: selection and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Simulations

atomic-red-teamT1547.001

View on ART

Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value

GUID: acfef903-7662-447e-a391-9c91c2f00f7b

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1547.001 · Registry Run Keys / Startup Folder

Related Rules

SimilarDetectionhigh

User Shell Folders Registry Modification via CommandLine

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9c226817-8dc9-46c2-a58d-66655aafd7dc

Status

test

Level

high

Type

Detection

Created

Sat Oct 01

Modified

Mon Jan 05

Author

François Hubaut, Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1547.001

View on GitHub