Detection rules › Splunk
File Written to Startup Folder - Windows (Sysmon)
Adversaries may achieve persistence by adding a program to a startup folder. Adding an entry to the startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. This use case detects file writes to \Microsoft\Windows\Start Menu\Programs\StartUp.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
References
- https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration
- https://attack.mitre.org/techniques/T1547/001/
- https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
Rule body yaml
id: '29486.53149'
title: File Written to Startup Folder - Windows
description: Adversaries may achieve persistence by adding a program to a startup
folder. Adding an entry to the startup folder will cause the program referenced
to be executed when a user logs in. These programs will be executed under the context
of the user and will have the account's associated permissions level. This use case
detects file writes to \Microsoft\Windows\Start Menu\Programs\StartUp.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=11) OR "<EventID>11<")
"Microsoft\\Windows\\Start Menu\\Programs\\Startup" | where !match(process_name,
"(?i)wuauclt\.exe") and !match(TargetFile, "(?i)C:\x5c\$Windows\.~BT\x5cNewOS\x5c")
| table _time, host, user, process, parent_process_name, process_exec | bin span=1s
| stats values(*) as * by _time, host '
techniques:
- persistence:boot or logon autostart execution:registry run keys / startup folder
technique_id:
- T1547.001
data_category:
- Windows Sysmon
references:
- https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration
- https://attack.mitre.org/techniques/T1547/001/
- https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=11) OR "<EventID>11<") "Microsoft\\Windows\\Start Menu\\Programs\\Startup"
Stage 2: where
| where !match(process_name, "(?i)wuauclt\.exe") and !match(TargetFile, "(?i)C:\x5c\$Windows\.~BT\x5cNewOS\x5c")
Stage 3: table
| table _time, host, user, process, parent_process_name, process_exec
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
TargetFile | match | "(?i)C:\x5c\$Windows\.~BT\x5cNewOS\x5c" |
process_name | match | "(?i)wuauclt\.exe" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>11<" |
| 1 | "Microsoft\\Windows\\Start Menu\\Programs\\Startup" |