1019 B
1019 B
HTA startup persistence
Use this query to locate persistence in Startup with HTA files.
Query
DeviceFileEvents
| where FolderPath contains @"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
| where FileName endswith ".hta"
Category
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Exploit | ||
| Misconfiguration | ||
| Malware, component | ||
| Ransomware | V |
Contributor info
Contributor: Microsoft 365 Defender