Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.[1] Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.
ID | Name | Description |
---|---|---|
G0087 | APT39 | |
S0373 | Astaroth | |
S0031 | BACKSPACE |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[5] |
S0534 | Bazar |
Bazar can establish persistence by writing shortcuts to the Windows Startup folder.[6][7] |
S0089 | BlackEnergy |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[8] |
S0244 | Comnie |
Comnie establishes persistence via a .lnk file in the victim’s startup path.[9] |
S0363 | Empire |
Empire can persist by modifying a .LNK file to include a backdoor.[10] |
S0267 | FELIXROOT | |
S0168 | Gazer |
Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[12][13] |
G0078 | Gorgon Group |
Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[14] |
S0531 | Grandoreiro |
Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.[15] |
S0170 | Helminth |
Helminth establishes persistence by creating a shortcut.[16] |
S0260 | InvisiMole |
InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.[17] |
S0265 | Kazuar | |
S0356 | KONNI |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[19] |
G0032 | Lazarus Group |
Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.[20][21] |
G0065 | Leviathan |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[22][23] |
S0652 | MarkiRAT |
MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.[24] |
S0339 | Micropsia | |
S0439 | Okrum |
Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.[26] |
S0172 | Reaver |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[27] |
S0153 | RedLeaves |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[28][29] |
S0270 | RogueRobin |
RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.[30][31] |
S0085 | S-Type |
S-Type may create the file |
S0053 | SeaDuke |
SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[33] |
S0028 | SHIPSHAPE |
SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[5] |
S0035 | SPACESHIP |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[5] |
S0058 | SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[34] |
S0004 | TinyZBot |
TinyZBot can create a shortcut in the Windows startup folder for persistence.[35] |
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management |
Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. [36] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.[37] Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. |
File Modification |
Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. |
||
DS0009 | Process | Process Creation |
Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login. |