Technique on mitre.org

T1547.009: Shortcut Modification

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence. Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.

Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-269: Windows_Autorun_Modification: Windows OS autorun element changed

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network. Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

ID	Data source and component	Description
DS0022	File: File Modification	Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.
DS0009	Process: Process Creation	Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.
DS0022	File: File Creation	Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network. Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.

ID	Name	Description
M1018	User Account Management	Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.