Which SIEM platforms have a T1547.009 detection rule?

df00tech provides T1547.009 (Shortcut Modification) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Shortcut Modification (T1547.009)?

Detecting Shortcut Modification requires the following data sources: File: File Creation, File: File Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1547.009 detection?

The T1547.009 detection is rated high severity with high confidence.

What are common false positives for T1547.009?

Common false positives for T1547.009 include: Software installations that create legitimate startup shortcuts (VPN clients, communication tools); User-created shortcuts pinned to the Start Menu or placed in Startup folder intentionally; Windows Updates or application updates that recreate or modify existing shortcuts.

T1547.009 Splunk · SPL

Detect Shortcut Modification in Splunk

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts (.lnk files) or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence. They may also edit the target path or entirely replace existing shortcuts so their malware executes instead of the intended legitimate program. Threat actors including Lazarus Group, APT39, Leviathan, and Turla have used this technique. LNK browser extensions may also be modified to persistently launch malware.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1547 Boot or Logon Autostart Execution
Sub-technique: T1547.009 Shortcut Modification
Canonical reference: https://attack.mitre.org/techniques/T1547/009/

SPL Detection Query

Splunk (SPL)

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  TargetFilename="*.lnk"
  (TargetFilename="*Start Menu\\Programs\\Startup*" OR TargetFilename="*Start Menu\\Programs\\StartUp*")
| table _time, host, TargetFilename, Image, User
| sort - _time

high severity high confidence

Detects .lnk file creation in Windows Startup folders using Sysmon Event ID 11 (FileCreate). Monitors both per-user and system-wide startup locations. This is a high-confidence detection for shortcut-based persistence used by many APT groups and malware families.

Data Sources

File: File CreationSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Software installations creating legitimate startup shortcuts
User-created shortcuts in the Startup folder
Windows or application updates modifying shortcuts
Enterprise deployment tools deploying shortcuts

Download portable Sigma rule (.yml)

Other platforms for T1547.009

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Malicious Shortcut in Startup Folder
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test.lnk in the Startup folder. Sysmon Event ID 1: PowerShell process creation with WScript.Shell COM object usage.
Test 2Modify Existing Shortcut Target
Expected signal: Sysmon Event ID 11: FileCreate for the initial shortcut. File modification event when the target path is changed. Both events show PowerShell as the initiating process.
Test 3Create VBScript Shortcut in Startup
Expected signal: Sysmon Event ID 11 for both the .vbs file creation and the .lnk shortcut in Startup. The shortcut targeting wscript.exe with a .vbs argument is a strong malicious indicator.

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1547.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Shortcut Modification in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1547.009

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1547.009

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox