Synopsis
Description
An uncommon file was created in the startup folder.
Attacker's Goals
Maintain persistence on the host through automatic execution at startup.
Investigative actions
- Determine if the file was created as part of a legitimate application installation, and check other files written by the same process.
- Identify which program opens this file based on its extension.
- Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.
Variations
An executable file with a non-default extension was added to the startup folder
Synopsis
Description
An executable file with a non-default extension was added to the startup folder.
Attacker's Goals
Maintain persistence on the host through automatic execution at startup.
Investigative actions
- Determine if the file was created as part of a legitimate application installation, and check other files written by the same process.
- Identify which program opens this file based on its extension.
- Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.
An executable or script was added to the startup folder
Synopsis
Description
An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system.
Attacker's Goals
Maintain persistence on the host through automatic execution at startup.
Investigative actions
- Determine if the file was created as part of a legitimate application installation, and check other files written by the same process.
- Identify which program opens this file based on its extension.
- Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.
A file with an uncommon extension was added to the startup folder
Synopsis
Description
A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself.
Attacker's Goals
Persistence on the host.
Investigative actions
- Check if the file was set during installation process (what other files were written by the process).
- Check the registry at HKEY_CLASSES_ROOT.[extension]\shell\[action]\command for the default application or command to execute.
A new shortcut (lnk) was added to the startup folder
Synopsis
Description
A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself.
Attacker's Goals
Maintain persistence on the host through automatic execution at startup.
Investigative actions
- Determine if the file was created as part of a legitimate application installation, and check other files written by the same process.
- Identify which program opens this file based on its extension.
- Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.