Suspicious Startup Shell Folder Modification | Elastic Security Solution [7.13]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Suspicious SolarWinds Child Process Suspicious WMI Image Load from MS Office »

Suspicious Startup Shell Folder Modificationedit

Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 1

Added (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

Triage and analysis

Verify file creation events in the new Windows Startup folder location.

Rule queryedit

registry where registry.path : (
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
Shell Folders\\Common Startup",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders\\Common Startup", "HKEY_USERS\\*\\Software\\Microsoft\\Wi
ndows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "H
KEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\
Shell Folders\\Startup" ) and registry.data.strings != null and
/* Normal Startup Folder Paths */ not registry.data.strings : (
"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
"%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup",
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup" )

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/

« Suspicious SolarWinds Child Process Suspicious WMI Image Load from MS Office »