Hunting for Startup Folder Persistence

Overview

Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.

When to Use

• When investigating security incidents that require hunting for startup folder persistence
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Python 3.9+ with watchdog, pefile (optional for PE analysis)
• Access to Windows startup folders (user and all-users)
• Windows Event Logs for Event ID 4663 correlation (optional)