Unusual file creation in the Windows startup directory may indicate an adversary establishing persistence to ensure malicious code runs on system boot. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms early and mitigate compromise risk.
Detection Rule
title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
- id: 28208707-fe31-437f-9a7f-4b1108b94d2e
type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/12
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
filter_main_update:
- Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\uus\ARM64\wuaucltcore.exe'
- TargetFilename|startswith:
- 'C:\$WINDOWS.~BT\NewOS\'
- 'C:\$WinREAgent\Scratch\Mount\'
filter_optional_onenote:
Image|endswith: '\ONENOTE.EXE'
TargetFilename|endswith: '\Send to OneNote.lnk'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium
imFileEvent
| where TargetFileName contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not(((TargetFilePath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\uus\\ARM64\\wuaucltcore.exe")) or (TargetFileName startswith "C:\\$WINDOWS.~BT\\NewOS\\" or TargetFileName startswith "C:\\$WinREAgent\\Scratch\\Mount\\")))) and (not((TargetFilePath endswith "\\ONENOTE.EXE" and TargetFileName endswith "\\Send to OneNote.lnk")))Scenario: A system administrator is deploying a legitimate configuration tool via a scheduled task that writes a configuration file to the startup folder.
Filter/Exclusion: Exclude files with known legitimate names (e.g., config.ini, setup.cfg) or files created by known administrative tools (e.g., GroupPolicy or SC commands).
Scenario: A user is using a legitimate startup script manager (e.g., Startup Manager or Launchy) to add a script to the startup folder for productivity purposes.
Filter/Exclusion: Exclude files with known script manager signatures or files located in user-specific startup folders (e.g., C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).
Scenario: A legitimate software installation process places a shortcut or configuration file in the startup folder during setup.
Filter/Exclusion: Exclude files created by known installers (e.g., msiexec, setup.exe from Microsoft or enterprise software) or files with known installation patterns (e.g., .lnk, .reg, .ini files created during install).
Scenario: A system update or patching tool (e.g., Windows Update, WSUS, or SCCM) writes a temporary file to the startup folder during an update process.
Filter/Exclusion: Exclude files with timestamps matching recent system updates or files created by known patching tools (e.g., wusa.exe, ccmexec.exe).
Scenario: A developer is testing a script that writes to the startup folder as part of a development or testing environment.
Filter/Exclusion: Exclude files with temporary or test-related naming conventions (e.g., test_script.bat, dev_config.txt) or files created within a known development directory structure.