Name:Windows Boot or Logon Autostart Execution In Startup Folder id:99d157cb-923f-4a00-aee9-1f385412146f version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information. Data_source:
-Sysmon EventID 11
search:|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives:Administrators may allow creation of script or exe in this path. References: -https://attack.mitre.org/techniques/T1204/002/ -https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Chaos Ransomware' - 'NjRAT' - 'RedLine Stealer' - 'Gozi Malware' asset_type:Endpoint confidence:90 impact:90 message:a process dropped a file in %startup% folder in $dest$ mitre_attack_id: - 'T1547.001' - 'T1547' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Filesystem.file_create_time' - 'Filesystem.process_id' - 'Filesystem.file_name' - 'Filesystem.user' - 'Filesystem.file_path' - 'Filesystem.process_guid' - 'Filesystem.dest' risk_score:81 security_domain:endpoint
