Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker with network access and valid privileges can easily copy files to Windows autostart paths. This technique is uncommon because it is easily detected. However, if an attacker can successfully install a payload that is later run on the victim device, the attacker can establish persistence or laterally move across the network.
Kill Chain
Risk Score
78
After infiltrating a network, an attacker can laterally move across the network by compromising new target devices. While an attacker can transfer an executable file to a target device over the SMB protocol to a Windows device, a malicious payload will not automatically run. However, an attacker with administrator credentials can copy the file to a startup path, such as C$\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The files in this path run automatically during startup processes, such as boot or login, delivering the malicious payload.
Quarantine the client while checking for indicators of compromise
Disable SMB file sharing unless required
Apply the principle of least privilege to permissions for modifying autostart paths
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
