DET0180 Detection Strategy for T1547.009 – Shortcut Modification (Windows)
| Item |
Value |
| ID |
DET0180 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1547.009 (Shortcut Modification)
Analytics
Windows
AN0510
Detection correlates file creation or modification of .lnk (shortcut) files in autostart locations with anomalous parent-child process lineage or unsigned binaries. Defenders should watch for LNK creation/modification events outside of known software installations, patch events, or OS updates. Flag shortcut targets pointing to suspicious locations or unknown binaries, particularly those written by script interpreters or spawned from phishing delivery chains.
Log Sources
Mutable Elements
| Field |
Description |
| TargetPathRegex |
Tunable regex to flag suspicious shortcut target paths (e.g., temp folder, base64 in target, unusual executable names) |
| TimeWindow |
Time window used to correlate shortcut creation with process execution (e.g., 5-minute window) |
| UserContextScope |
Filter for expected administrative installs versus end-user initiated shortcut creation |
| ZoneIdentifierThreshold |
Configurable value to filter LNK files tagged with external source markers (e.g., ZoneId=3 for Internet) |