write file to startup folder

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: write file to startup folder
    namespace: persistence/startup-folder
    authors:
      - matthew.williams@mandiant.com
      - j.j.vannielen@utwente.nl
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
    examples:
      - 07F7846BBCDA782E5639292AD93907EB:0x401040
  features:
    - or:
      - and:
        - match: get startup folder
        - or:
          - match: copy file
          - match: move file
          - match: write file on Windows
      - call:
        - and:
          - string: /Start Menu\\Programs\\Startup/i
          - or:
            - match: copy file
            - match: move file
            - match: write file on Windows

last edited: 2024-12-09 09:51:47