Suspicious Startup Shell Folder Modification

edit

Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Verify file creation events in the new Windows Startup folder location.

Rule query

edit
registry where registry.path : (
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
Shell Folders\\Common Startup",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders\\Common Startup", "HKEY_USERS\\*\\Software\\Microsoft\\Wi
ndows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "H
KEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\
Shell Folders\\Startup" ) and registry.data.strings != null and
/* Normal Startup Folder Paths */ not registry.data.strings : (
"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
"%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup",
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup" )

Threat mapping

edit

Framework: MITRE ATT&CKTM