title: Shortcut Modification (T1547.009)
id: df00tech-t1547-009
status: experimental
description: "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts (.lnk files) or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence. They may also edit the target path or entirely replace existing shortcuts so their malware executes instead of the intended legitimate program. Threat actors including Lazarus Group, APT39, Leviathan, and Turla have used this technique. LNK browser extensions may also be modified to persistently launch malware."
references:
  - https://attack.mitre.org/techniques/T1547/009/
  - https://df00tech.com/detections/T1547.009
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installations that create legitimate startup shortcuts (VPN clients, communication tools)"
  - User-created shortcuts pinned to the Start Menu or placed in Startup folder intentionally
  - Windows Updates or application updates that recreate or modify existing shortcuts
  - "Enterprise deployment tools (SCCM, Intune) deploying shortcuts during provisioning"
level: high