detection.wiki

Detection rules › Sigma

Modify User Shell Folders Startup Value

Severity
high
Author
frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|endswith: '\Common Startup'
TargetObject|endswith: '\Startup'
or:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
TargetObject|contains: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'

Stage 2: not 1 of filter_main_*

or:
Details|contains: 'C:\Users\'
Details|contains: '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
Details: null
Details|contains: '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
Details|contains: '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
Details|contains: '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
Details|contains: 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsmatch
  • %%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\
  • \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
TargetObjectends_with
  • \Common Startup
  • \Startup
TargetObjectmatch
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders