Detect Shortcut Modification in Google Chronicle
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts (.lnk files) or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence. They may also edit the target path or entirely replace existing shortcuts so their malware executes instead of the intended legitimate program. Threat actors including Lazarus Group, APT39, Leviathan, and Turla have used this technique. LNK browser extensions may also be modified to persistently launch malware.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.009 Shortcut Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1547/009/
YARA-L Detection Query
rule t1547_009_startup_shortcut_modification {
meta:
author = "df00tech"
description = "Detects creation or modification of .lnk shortcut files in Windows Startup folders, indicating potential persistence via shortcut modification (T1547.009)"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1547.009"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MODIFICATION"
$e.target.file.full_path = /(?i).*\.lnk$/
(
$e.target.file.full_path = /(?i).*Start Menu\\Programs\\Startup.*/
or $e.target.file.full_path = /(?i).*Start Menu\\Programs\\StartUp.*/
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule to detect .lnk shortcut file creation or modification events in Windows Startup directories. Leverages UDM FILE_CREATION and FILE_MODIFICATION events to identify persistence via startup folder shortcut abuse (T1547.009).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software deployment via enterprise tooling that installs startup shortcuts as part of application provisioning
- User-created shortcuts placed in the Startup folder for convenience applications or scripts
- Antivirus or security software that monitors or modifies startup folder contents as part of remediation
Other platforms for T1547.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Shortcut in Startup Folder
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test.lnk in the Startup folder. Sysmon Event ID 1: PowerShell process creation with WScript.Shell COM object usage.
- Test 2Modify Existing Shortcut Target
Expected signal: Sysmon Event ID 11: FileCreate for the initial shortcut. File modification event when the target path is changed. Both events show PowerShell as the initiating process.
- Test 3Create VBScript Shortcut in Startup
Expected signal: Sysmon Event ID 11 for both the .vbs file creation and the .lnk shortcut in Startup. The shortcut targeting wscript.exe with a .vbs argument is a strong malicious indicator.
Unlock Pro Content
Get the full detection package for T1547.009 including response playbook, investigation guide, and atomic red team tests.