EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

MITRE ATT&CK

T1547.001
privilege-escalationpersistence

Detection Query

selection:
  Image|endswith:
    - \powershell.exe
    - \pwsh.exe
  TargetFilename|contains: \start menu\programs\startup\
  TargetFilename|endswith: .lnk
condition: selection

Author

Christopher Peacock '@securepeacock', SCYTHE

Created

2021-10-24

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
    Detects PowerShell writing startup shortcuts.
    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains: '\start menu\programs\startup\'
        TargetFilename|endswith: '.lnk'
    condition: selection
falsepositives:
    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high