[metadata] bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence. """ from = "now-9m" index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and file.path : ( "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*" ) and not ( (process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "*OneNote.lnk") or (process.name : "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk") or (process.name : "OneLaunch.exe" and process.code_signature.status: "trusted" and file.name : "OneLaunch*.lnk") or (process.name : "APPServerClient.exe" and process.code_signature.status: "trusted" and file.name : "Parallels Client.lnk") ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" [[rule.threat.technique.subtechnique]] id = "T1547.009" name = "Shortcut Modification" reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"