endpoint(opens in a new tab or window)
windows(opens in a new tab or window)
file where host.os.type == "windows" and event.type != "deletion" and
/* Call attention to file extensions that may be used for malicious purposes */
/* Optionally, Windows scripting engine processes targeting shortcut files */
(
file.extension : ("vbs", "vbe", "wsh", "wsf", "js") or
process.name : ("wscript.exe", "cscript.exe")
) and not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT"))
/* Identify files created or changed in the startup folder */
and file.path : (
"?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*")
Install detection rules in Elastic Security
Detect Persistent Scripts in the Startup Directory in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).