hunting-for-startup-folder-persistence
Installation
SKILL.md
Hunting for Startup Folder Persistence
Overview
Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.
When to Use
- When investigating security incidents that require hunting for startup folder persistence
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
watchdog,pefile(optional for PE analysis) - Access to Windows startup folders (user and all-users)
- Windows Event Logs for Event ID 4663 correlation (optional)