Startup Folder Persistence with Shortcut/VBScript Files¶
Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user’s startup folder. This detection identifies GAMAREDON GROUP’s technique of placing shortcut and VBScript files into this folder.
id: | 5430be26-4019-4bc3-bb04-056019304dc9 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 02/12/2020 |
updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1060 Registry Run Keys / Startup Folder |
Query¶
file where subtype.create
and process_name in ("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "winword.exe", "excel.exe", "powerpnt.exe")
and (file_path == "*\\Programs\\Startup\\*.lnk" or
file_path == "*\\Programs\\Startup\\*.vbs")
| unique process_name, file_path, user_name