Synopsis
Description
An uncommon file was created in the startup folder.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was written during an installation of a legitimate application (what other files that were written by the process).
- Check what program opens this file by the extension - Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.
Variations
An executable file with a non-default extension was added to the startup folder
Synopsis
Description
An executable file with a non-default extension was added to the startup folder.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was written during an installation of a legitimate application (what other files that were written by the process).
- Check what program opens this file by the extension - Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.
An executable or script was added to the startup folder
Synopsis
Description
An executable or script was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was written during an installation of a legitimate application (what other files that were written by the process).
- Check what program opens this file by the extension - Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.
A file with an uncommon extension was added to the startup folder
Synopsis
Description
A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was set during installation process (what other files were written by the process).
- Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.
A new shortcut (lnk) was added to the startup folder
Synopsis
Description
A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was written during an installation of a legitimate application (what other files that were written by the process).
- Check what program opens this file by the extension - Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.