EXPLORE
Sign In
← Back to Explore
T1547.009

Shortcut Modification

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attac...

Windows
6
Detections
2
Sources
4
Threat Actors

BY SOURCE

4sigma2elastic

PROCEDURES (6)

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (4)

APT39Gorgon GroupLazarus GroupLeviathan

DETECTIONS (6)

Creation Exe for Service with Unquoted Path
sigmahigh
Desktop.INI Created by Uncommon Process
sigmamedium
New Custom Shim Database Created
sigmamedium
Persistence via Docker Shortcut Modification
elasticmedium
Persistent Scripts in the Startup Directory
elasticmedium
Windows Network Access Suspicious desktop.ini Action
sigmamedium