The Startup folder is a Windows directory whose contents (usually shortcuts) are launched automatically when a user logs in. Each user has one, and there is an all-users one. Attackers drop a shortcut or executable pointing at their payload, and it runs at every logon, requiring no admin for the per-user folder. It is one of the oldest and simplest persistence methods, easy to set and easy to inspect. It maps to MITRE T1547.001.
What it is
Windows runs whatever is in the Startup folder when a user logs in. There are two:
- Per-user:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup(shell:startup). - All-users:
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp(shell:common startup).
It exists so users can have apps open at sign-in. Anything placed there, including a shortcut to a malicious program, runs automatically.
The technique and payload
The attacker drops a launcher into the Startup folder:
- Copy a payload or a
.lnkshortcut intoshell:startup(per-user, no admin) or the common Startup folder (all users, admin). - The shortcut can point at the payload, a script, or a LOLBIN that fetches and runs it.
- It executes at the next (and every) logon for that user.
It is trivial to set up and needs no special privilege for the per-user folder. Documented for defensive context.
How to defend
- Monitor the Startup folders (per-user and common) for new files and shortcuts.
- Baseline legitimate startup items so additions stand out (autoruns enumerates them).
- Use application allow-listing so a dropped payload cannot execute.
- Inspect shortcut targets, attackers hide LOLBINs and scripts behind innocent-looking
.lnkfiles. - Limit local admin to block the all-users Startup folder.
References
- [1]MITRE ATT&CK: Boot or Logon Autostart Execution (T1547)(MITRE)
- [2]Microsoft: Windows known folders(Microsoft)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)