Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1547.009 | Shortcut Modification | |
| AC-3 | Access Enforcement | Protects | T1547.009 | Shortcut Modification | |
| AC-5 | Separation of Duties | Protects | T1547.009 | Shortcut Modification | |
| AC-6 | Least Privilege | Protects | T1547.009 | Shortcut Modification | |
| CM-5 | Access Restrictions for Change | Protects | T1547.009 | Shortcut Modification | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1547.009 | Shortcut Modification |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1547.009 | Shortcut Modification |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1547.009 | Shortcut Modification |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|