Description
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.
Platforms
Mitigations (3)
User Account ManagementM1018
Limit Privileges for Shortcut Creation: While the SeCreateSymbolicLinkPrivilege is not directly related to .lnk file creation, you should still enforce least privilege principles by limiting user rights to create and modify shortcuts, especially in system-critical locations. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies >
Execution PreventionM1038
Prevents malicious shortcuts or LNK files from executing unwanted code by ensuring only authorized applications and scripts are allowed to run.
Restrict File and Directory PermissionsM1022
Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has modified LNK shortcuts.(Citation: FireEye APT39 Jan 2019) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoo... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Un... |
Associated Software (25)
| ID | Name | Type | Context |
|---|---|---|---|
| S0270 | RogueRobin | Malware | [RogueRobin](https://attack.mitre.org/software/S0270) establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run ... |
| S0153 | RedLeaves | Malware | [RedLeaves](https://attack.mitre.org/software/S0153) attempts to add a shortcut file in the Startup folder to achieve persistence.(Citation: PWC Cloud... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) can establish persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET... |
| S0172 | Reaver | Malware | [Reaver](https://attack.mitre.org/software/S0172) creates a shortcut file and saves it in a Startup folder to establish persistence.(Citation: Palo Al... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can write or modify browser shortcuts to enable launching of malicious browser extensions.(Cita... |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) establishes persistence by creating a shortcut.(Citation: Palo Alto OilRig May 2016) |
| S0652 | MarkiRAT | Malware | [MarkiRAT](https://attack.mitre.org/software/S0652) can modify the shortcut that launches Telegram by replacing its path with the malicious payload to... |
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) creates a shortcut to maintain persistence.(Citation: Talos Micropsia June 2017) |
| S0058 | SslMM | Malware | To establish persistence, [SslMM](https://attack.mitre.org/software/S0058) identifies the Start Menu Startup directory and drops a link to its own exe... |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) establishes persistence via a .lnk file in the victim’s startup path.(Citation: Palo Alto Comnie) |
| S0168 | Gazer | Malware | [Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk fil... |
| S0089 | BlackEnergy | Malware | The [BlackEnergy](https://attack.mitre.org/software/S0089) 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the... |
| S0035 | SPACESHIP | Malware | [SPACESHIP](https://attack.mitre.org/software/S0035) achieves persistence by creating a shortcut in the current user's Startup folder.(Citation: FireE... |
| S0004 | TinyZBot | Malware | [TinyZBot](https://attack.mitre.org/software/S0004) can create a shortcut in the Windows startup folder for persistence.(Citation: Cylance Cleaver) |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373)'s initial payload is a malicious .LNK file. (Citation: Cofense Astaroth Sept 2018)(Citation: Cyber... |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) may create the file <code>%HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk</co... |
| S0028 | SHIPSHAPE | Malware | [SHIPSHAPE](https://attack.mitre.org/software/S0028) achieves persistence by creating a shortcut in the Startup folder.(Citation: FireEye APT30) |
| S0031 | BACKSPACE | Malware | [BACKSPACE](https://attack.mitre.org/software/S0031) achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.(Citation: F... |
| S0053 | SeaDuke | Malware | [SeaDuke](https://attack.mitre.org/software/S0053) is capable of persisting via a .lnk file stored in the Startup directory.(Citation: Unit 42 SeaDuke... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMol... |
References
- Elastic. (n.d.). Shortcut File Written or Modified for Persistence. Retrieved June 1, 2022.
- French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020.
Frequently Asked Questions
What is T1547.009 (Shortcut Modification)?
T1547.009 is a MITRE ATT&CK technique named 'Shortcut Modification'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or...
How can T1547.009 be detected?
Detection of T1547.009 (Shortcut Modification) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.009?
There are 3 documented mitigations for T1547.009. Key mitigations include: User Account Management, Execution Prevention, Restrict File and Directory Permissions.
Which threat groups use T1547.009?
Known threat groups using T1547.009 include: APT39, Leviathan, Lazarus Group, Gorgon Group.