[metadata] creation_date = "2021/03/15" maturity = "production" updated_date = "2021/05/10" [rule] author = ["Elastic"] description = """ Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" note = """## Triage and analysis Verify file creation events in the new Windows Startup folder location.""" risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where registry.path : ( "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup" ) and registry.data.strings != null and /* Normal Startup Folder Paths */ not registry.data.strings : ( "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"