Hunting for Startup Folder Persistence
Overview
Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.
When to Use
- When investigating security incidents that require hunting for startup folder persistence
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
watchdog, pefile (optional for PE analysis)
- Access to Windows startup folders (user and all-users)
- Windows Event Logs for Event ID 4663 correlation (optional)
Steps
- Enumerate all files in user and system startup directories
- Analyze file types, creation timestamps, and digital signatures
- Flag suspicious file extensions (.bat, .vbs, .ps1, .lnk, .exe)
- Check for recently created files (< 7 days) as potential implants
- Monitor startup folders in real-time using watchdog FileSystemEventHandler
- Correlate with known legitimate startup entries
- Generate threat hunting report with T1547.001 MITRE mapping
Expected Output
- JSON report listing all startup folder contents with risk scores, file metadata, and suspicious indicators
- Real-time monitoring alerts for new file creation in startup directories
