get startup folder

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get startup folder
    namespace: persistence/startup-folder
    authors:
      - matthew.williams@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
    examples:
      - 07F7846BBCDA782E5639292AD93907EB:0x40121A
  features:
    - and:
      - or:
        - number: 0x07 = CSIDL_STARTUP
        - number: 0x18 = CSIDL_COMMON_STARTUP
      - or:
        - api: shell32.SHGetFolderPath
        - api: shell32.SHGetFolderLocation
        - api: shell32.SHGetSpecialFolderPath
        - api: shell32.SHGetSpecialFolderLocation

last edited: 2023-11-24 10:35:00