T1547.009 Shortcut Modification
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.1 Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.
Item | Value |
---|---|
ID | T1547.009 |
Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
Tactics | TA0003, TA0004 |
Platforms | Windows |
Permissions required | Administrator, User |
Version | 1.2 |
Created | 24 January 2020 |
Last Modified | 30 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0087 | APT39 | APT39 has modified LNK shortcuts.36 |
S0373 | Astaroth | Astaroth‘s initial payload is a malicious .LNK file. 910 |
S0031 | BACKSPACE | BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.19 |
S0534 | Bazar | Bazar can establish persistence by writing shortcuts to the Windows Startup folder.1516 |
S0089 | BlackEnergy | The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.31 |
S0244 | Comnie | Comnie establishes persistence via a .lnk file in the victim’s startup path.21 |
S0363 | Empire | Empire can persist by modifying a .LNK file to include a backdoor.4 |
S0267 | FELIXROOT | FELIXROOT creates a .LNK file for persistence.11 |
S0168 | Gazer | Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.2930 |
G0078 | Gorgon Group | Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.35 |
S0531 | Grandoreiro | Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.26 |
S0170 | Helminth | Helminth establishes persistence by creating a shortcut.7 |
S0260 | InvisiMole | InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.13 |
S0265 | Kazuar | Kazuar adds a .lnk file to the Windows startup folder.8 |
S0356 | KONNI | A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.20 |
G0032 | Lazarus Group | Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.32 |
G0065 | Leviathan | Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.3334 |
S0652 | MarkiRAT | MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.22 |
S0339 | Micropsia | Micropsia creates a shortcut to maintain persistence.14 |
S0439 | Okrum | Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.12 |
S0172 | Reaver | Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.23 |
S0153 | RedLeaves | RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.65 |
S0270 | RogueRobin | RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.2728 |
S0085 | S-Type | S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk , which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.25 |
S0053 | SeaDuke | SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.18 |
S0028 | SHIPSHAPE | SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.19 |
S0035 | SPACESHIP | SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.19 |
S0058 | SslMM | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.24 |
S0004 | TinyZBot | TinyZBot can create a shortcut in the Windows startup folder for persistence.17 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management | Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. 3 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
References
-
Elastic. (n.d.). Shortcut File Written or Modified for Persistence. Retrieved June 1, 2022. ↩
-
French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020. ↩
-
UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩
-
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. ↩
-
Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. ↩
-
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. ↩
-
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. ↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩
-
Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. ↩
-
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩
-
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. ↩
-
Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. ↩
-
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. ↩↩↩
-
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. ↩
-
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. ↩
-
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. ↩
-
Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. ↩
-
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩
-
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. ↩
-
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. ↩
-
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. ↩
-
ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. ↩
-
F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. ↩
-
Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. ↩
-
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. ↩
-
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. ↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩