Install itself for autorun at Windows startup

Hunt Hypothesis

An adversary may install malware to autorun at Windows startup to ensure persistence and maintain access to the compromised system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence mechanisms and mitigate the risk of sustained malicious activity.

YARA Rule

rule persistence {
    meta:
        author = "x0r"
        description = "Install itself for autorun at Windows startup"
	version = "0.1"
    strings:
        $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
        $p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
        $p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase
        $p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase
        $p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase
        $p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase
        $p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase
        $p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase
        $p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase
        $p10 = "comfile\\shell\\open\\command" nocase
        $p11 = "piffile\\shell\\open\\command" nocase
        $p12 = "exefile\\shell\\open\\command" nocase
        $p13 = "txtfile\\shell\\open\\command" nocase
	$p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
        $f1 = "win.ini" nocase
        $f2 = "system.ini" nocase
        $f3 = "Start Menu\\Programs\\Startup" nocase
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 17 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Administrator configures a legitimate scheduled task for system maintenance using Task Scheduler.
  Filter/Exclusion: ProcessName != "schtasks.exe" OR ProcessName == "schtasks.exe" AND CommandLine NOT LIKE "* /create*"

• Scenario: A legitimate endpoint protection tool (e.g., Microsoft Defender) creates a startup registry entry for its own service.
  Filter/Exclusion: ProcessName == "msmpeng.exe" OR ProcessName == "MsMpEng.exe" OR ProcessName == "WindowsDefender.exe"

• Scenario: A system update or patching tool (e.g., Windows Update) modifies the registry to ensure services start at boot.
  Filter/Exclusion: ProcessName == "wuauclt.exe" OR ProcessName == "wuauserv.exe" OR ProcessName == "svchost.exe" AND CommandLine LIKE "* wuauserv*"

• Scenario: A legitimate backup tool (e.g., Veeam, Acronis) sets up a registry entry to run at startup for scheduled backups.
  Filter/Exclusion: ProcessName == "veeam.exe" OR ProcessName == "acronis.exe" OR ProcessName == "backup.exe" AND CommandLine LIKE "* /startup*"

• Scenario: An admin manually adds a legitimate service to the startup folder via the GUI or registry.
  Filter/Exclusion: ProcessName == "explorer.exe" OR ProcessName == "regedit.exe" OR ProcessName == "msconfig.exe" AND CommandLine LIKE "* startup*"