IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Startup Shell Folder Modification
editSuspicious Startup Shell Folder Modification
editIdentifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 1
Added (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Verify file creation events in the new Windows Startup folder location.
Rule query
editregistry where registry.path : ( "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", "HKEY_USERS\\*\\Software\\Microsoft\\Wi ndows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "H KEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Shell Folders\\Startup" ) and registry.data.strings != null and /* Normal Startup Folder Paths */ not registry.data.strings : ( "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/