/
windows_boot_or_logon_autostart_execution_in_startup_folder.yml
72 lines (72 loc) · 2.84 KB
/
windows_boot_or_logon_autostart_execution_in_startup_folder.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Windows Boot or Logon Autostart Execution In Startup Folder
id: 99d157cb-923f-4a00-aee9-1f385412146f
version: 1
date: '2023-01-12'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic will identify suspicious files dropped or created in the Windows %startup% folder.
This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer
abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host.
This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to
verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation.
data_source:
- Sysmon EventID 11
search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the Filesystem responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
known_false_positives: Administrators may allow creation of script or exe in this
path.
references:
- https://attack.mitre.org/techniques/T1204/002/
- https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
tags:
analytic_story:
- Chaos Ransomware
- NjRAT
- RedLine Stealer
asset_type: Endpoint
confidence: 90
impact: 90
message: a process dropped a file in %startup% folder in $dest$
mitre_attack_id:
- T1547.001
- T1547
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.file_create_time
- Filesystem.process_id
- Filesystem.file_name
- Filesystem.user
- Filesystem.file_path
- Filesystem.process_guid
- Filesystem.dest
risk_score: 81
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true