hunting-for-startup-folder-persistence

Solid

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
88
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting for Startup Folder Persistence ## Overview Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` or `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants. ## When to Use - When investigating security incidents that require hunting for startup folder persistence - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `watchdog`, `pefile` (optional for PE analysis) - Access to Windows startup folders (user and all-users) - Windows Event Logs for Event ID 4663 correlation (optional) ## Steps 1. Enumerate all files in user and system startup directories 2. Analyze file types, creation timestamps, and digital signatures 3. Flag suspicious file extensions (.bat, .vbs, .ps1, .lnk, .exe) 4. Check for recently created files (< 7 days) as potential implants 5. Monitor startup folders in real-time using watchdog FileSystemEventHandler 6. Correlate with known legitimate startup entries 7. G...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hunting-for-persistence-mechanisms-in-windows

Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-registry-run-key-persistence

Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.

12,642 Updated today
mukul975
AI & Automation Featured

performing-malware-persistence-investigation

Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives reboots and maintains access.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-suspicious-scheduled-tasks

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-malware-persistence-with-autoruns

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

12,642 Updated today
mukul975