SCENARIO DETAILS
The following pages contain details and results for each scenario that was run as part of this project.
P ER SIS TE NC ET HR O UGH STARTUP FOLDERS CE NAR IO
RESULTS Detailed description, results and mitigation recommendations for this scenario.
D ES CR IPT ION PERSISTENCE THROUGH STARTUP FOLDER
This scenario mimics malware that achieves persistence by adding files to the operating system Startup Directory.
The list of available Startup Directories across Microsoft Windows versions is:
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp
%ALLUSERSPROFILE%\Start Menu\Programs\StartUp
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp
%USERPROFILE%\Start Menu\Programs\StartUp
Adversaries can use these configuration
locations to execute malware, such as remote access tools, to maintain persistence through system reboots.
The scenario should be configured with the following parameters:
A list of the startup folders that will be used to store ale into them.
The file path of the source file
that will be copiedThe destination file name to use.
If this scenario does not receive any parameter it will check which startup directory exists in the asset and then it will copy the C:\Windows\notepad.exe binary to all the existent startup directories with the 'AttackIQPersistenceThroughStartupFolderBinary.exe' name.
This means that the scenario can run without any parameter or with all three parameters specified.
This scenario should be executed by a user account that has already logged into the system at least once. The
Startup folder does not exist prior to an account’s login and this ensures that all startup folders were created by
Windows directly. If the folder does not exist the scenario will try to create
these folders automatically, but this may impact EDR detection capabilities.
SCENARIO RESULTS BY ASSET LAST RUN)
Share with your friends: 
