name: VBScript Backdoor Launcher Dropped to User Startup Folder Analytic
category: "Persistence"
threatname: "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
functionality: "Endpoint Management Systems"
description: |
Detects VBScript files created in the user Startup directory, a persistence
mechanism used by Deep#Door to execute the Python backdoor silently at each
user logon without requiring elevated privileges. The implant drops
SystemServices.vbs into the Startup folder to invoke pythonw.exe against
the staged svc.py payload.
reference:
labels:
- attack.persistence
- attack.t1547.001
- Deep#Door
logsource:
category: file_event
product: windows
detection:
selection:
Filename|endswith:
- ".vbs"
- ".vbe"
FilePath|contains:
- '\Microsoft\Windows\Start Menu\Programs\Startup'
condition: selection
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: "accountname"
level2_attribute:
level2_metadata_attributes:
metadata_attributes:
TECHNICAL DETAILS
Observed persistence file:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemServices.vbs
This VBScript is used to establish persistence by executing the staged Python
backdoor at user logon. The script typically launches the payload silently:
Dim WShell
Set WShell = CreateObject("WScript.Shell")
WShell.Run "pythonw.exe " & Chr(34) & Environ("LOCALAPPDATA") & "\SystemServices\svc.py" & Chr(34), 0, False
The window style parameter (0) ensures no visible console window is shown,
allowing execution to remain hidden from the user.
This technique leverages the Startup folder to achieve persistence without
requiring administrative privileges.
Falsepositives: |
- Legitimate applications may use Startup folder scripts (rare)
- Validate against known enterprise scripts or legacy applications
Policy building walkthrough can be found in this previous post: