Skill

hunting-for-startup-folder-persistence

Detects Windows startup folder persistence (T1547.001) by scanning directories for suspicious files, analyzing autoruns, and real-time monitoring with Python watchdog. For threat hunting and SOC analysis.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` or `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` execute automatically at user logon. This skill scans startup directories for suspicious files, monitors ...

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

filesystem-monitoring

Hunting for Startup Folder Persistence

Overview

Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.

When to Use

When investigating security incidents that require hunting for startup folder persistence

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with watchdog, pefile (optional for PE analysis)

Access to Windows startup folders (user and all-users)

Windows Event Logs for Event ID 4663 correlation (optional)

Steps

Enumerate all files in user and system startup directories

Analyze file types, creation timestamps, and digital signatures

Flag suspicious file extensions (.bat, .vbs, .ps1, .lnk, .exe)

Check for recently created files (< 7 days) as potential implants

Monitor startup folders in real-time using watchdog FileSystemEventHandler

Correlate with known legitimate startup entries

Generate threat hunting report with T1547.001 MITRE mapping

Expected Output

JSON report listing all startup folder contents with risk scores, file metadata, and suspicious indicators

Real-time monitoring alerts for new file creation in startup directories