This note documents detection patterns related to Startup Folder Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 11 | File create | Critical | Detects payload dropped into Startup folders. |
| Sysmon | 1 | Process creation | Critical | Payload launched after logon. |
| Security | 4688 | Process creation | Critical | User logon execution chain. |
| Security | 4624 | Successful logon | High | Startup payload usually follows interactive logon. |
| Sysmon | 23 | File delete | Medium | Cleanup or replacement of startup payload. |
| Sysmon | 13 | Registry value set | Medium | Sometimes paired with Run keys. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Executable/script in Startup path | EXE, LNK, BAT, VBS | Critical | Core persistence footprint. |
| Startup file created shortly before logon | Timing correlation | Critical | Strong attacker pattern. |
| LNK points to unusual path | Temp/AppData payload | Critical | Common stealth technique. |
| User profile startup abuse | Per-user persistence | High | Less visible than all-users path. |
| Hidden file attributes | Concealed startup payload | High | Stealth clue. |
| Office/script payload in Startup | Non-standard content | High | Strong anomaly. |
Common Tools
| Tool | Usage |
|---|---|
| explorer.exe | Startup trigger after login |
| cmd.exe | Drop startup payload |
| PowerShell | Copy persistence payload |
| shortcut files (.lnk) | Indirect startup execution |
Relevant Artifacts
- Sysmon Event IDs 11, 1, 23, 13
- Security Event IDs 4688, 4624
- Startup paths:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
- LNK files
- Prefetch for payload
- MFT / USN timeline
- Amcache / ShimCache
MITRE ATT&CK References
- T1547.001 Registry Run Keys / Startup Folder
Decision Tree
-
Which startup folder?
- User
- All users
-
File type?
- EXE
- LNK
- Script
-
Created when?
- Before logon
- During intrusion
-
Trigger confirmed?
- Post-logon execution
- Child processes
-
Expand:
- Adjacent persistence
- Payload source
- User context
-
Scope:
- Single profile
- Multiple users
- Campaign deployment
Example Detection Templates
KQL
Sysmon
| where EventID == 11
| where TargetFilename has "Startup"
| project TimeGenerated, Computer, TargetFilename
SecurityEvent
| where EventID == 4688
| where ParentProcessName endswith "explorer.exe"
| project TimeGenerated, Computer, NewProcessName, CommandLine
EQL
file where file.path like "*\\Startup\\*"
sequence by host.name with maxspan=10m
[ file where file.path like "*\\Startup\\*" ]
[ process where process.parent.name == "explorer.exe" ]
Sigma
title: Startup Folder Abuse Detection
id: 5b3d2f17-startup-folder
status: experimental
description: Detects files placed into Windows Startup folders
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
keywords:
TargetFilename|contains: 'Startup'
condition: selection and keywords
fields:
- TargetFilename
falsepositives:
- Legitimate startup entries
level: high
tags:
- attack.persistence
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| File creation monitoring | Alert on Startup writes | Critical | Strong signal |
| Baseline startup entries | Low false positives | High | Easy review |
| LNK inspection | Resolve shortcut targets | Critical | Common attacker trick |
| Logon correlation | Watch immediate execution | High | Confirms trigger |
| Restrict user write paths | Reduce persistence surface | High | Prevent abuse |