Detecting malware persistence technique

Adversaries might achieve persistence if they manage to add a malicious script or program to the startup folder of a Windows endpoint. The program in this folder executes when a user logs in to the endpoint.

By monitoring the Windows startup folder with the Wazuh FIM module, you can detect any suspicious or unknown programs that users might have added. This allows you to take appropriate action to remove them before they cause harm to your endpoint.

Use case description

Endpoint

Description

Windows 10

The FIM module monitors the startup folder on this endpoint.

Configuration

Wazuh monitors the startup folder automatically without requiring any user action. By default, the Wazuh configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup folder:

<syscheck>
  <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
</syscheck>

Test the configuration

  1. Use PowerShell to download an EICAR test file to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup directory:

    cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    Invoke-WebRequest -Uri https://secure.eicar.org/eicar.com.txt -OutFile eicar.txt
    
  2. Delete the file from the Windows endpoint:

    Remove-Item eicar.txt
    

Visualize the alert

Navigate to Modules > Integrity monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the Windows startup folder.

Changes in the Windows startup folder

Additionally, you can integrate the Wazuh FIM module with VirusTotal to automatically remove this type of threat. You can find more information in our Proof of Concept guide.