Startup Folder Persistence with Shortcut/VBScript Files¶
Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user’s startup folder. This detection identifies GAMAREDON GROUP’s technique of placing shortcut and VBScript files into this folder.
| id: | 5430be26-4019-4bc3-bb04-056019304dc9 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 02/12/2020 |
| updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1060 Registry Run Keys / Startup Folder |
Query¶
file where subtype.create
and process_name in ("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "winword.exe", "excel.exe", "powerpnt.exe")
and (file_path == "*\\Programs\\Startup\\*.lnk" or
file_path == "*\\Programs\\Startup\\*.vbs")
| unique process_name, file_path, user_name