Startup Folder Execution via VBScript¶
Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user’s startup folder. This detection identifies the execution portion of GAMAREDON GROUP’s technique of placing shortcut and VBScript files into this folder.
id: | 7b4bd51e-4165-43f8-b0c8-fb2d7cd9cf94 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 02/12/2020 |
updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1060 Registry Run Keys / Startup Folder |
Query¶
sequence by user_name with maxspan=90d
[file where subtype.create and file_path == "*\\Programs\\Startup\\*.vbs"]
[process where subtype.create and parent_process_name=="explorer.exe"
and process_name == "wscript.exe" and command_line == "*\\Programs\\Startup\\*"]