Detecting malware persistence technique

Adversaries might achieve persistence if they manage to add a malicious script or program to the startup folder of a Windows endpoint. The program in this folder executes when a user logs in to the endpoint.

By monitoring the Windows startup folder with the ThreatLockDown FIM module, you can detect any suspicious or unknown programs that users might have added. This allows you to take appropriate action to remove them before they cause harm to your endpoint.

Use case description

Endpoint

Description

Windows 10

The FIM module monitors the startup folder on this endpoint.

Configuration

ThreatLockDown monitors the startup folder automatically without requiring any user action. By default, the ThreatLockDown configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup folder:

<syscheck>
  <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
</syscheck>

Test the configuration

  1. Use PowerShell to download an EICAR test file to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup directory:

    cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    Invoke-WebRequest -Uri https://secure.eicar.org/eicar.com.txt -OutFile eicar.txt
    
  2. Delete the file from the Windows endpoint:

    Remove-Item eicar.txt
    

Visualize the alert

Navigate to File Integrity Monitoring on the ThreatLockDown dashboard to view the alert generated when the FIM module detects changes in the Windows startup folder.

Changes in the Windows startup folder

Additionally, you can integrate the ThreatLockDown FIM module with VirusTotal to automatically remove this type of threat. You can find more information in our Proof of Concept guide.