Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
ID | Name | Description |
---|---|---|
G0016 | APT29 | |
G0087 | APT39 | |
S0373 | Astaroth | |
S0031 | BACKSPACE |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[5] |
S0534 | Bazar |
Bazar can establish persistence by writing shortcuts to the Windows Startup folder.[6][7] |
S0089 | BlackEnergy |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[8] |
S0244 | Comnie |
Comnie establishes persistence via a .lnk file in the victim’s startup path.[9] |
G0012 | Darkhotel |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[10] |
G0035 | Dragonfly |
Dragonfly has manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.[11] |
S0363 | Empire |
Empire can persist by modifying a .LNK file to include a backdoor.[12] |
S0267 | FELIXROOT | |
S0168 | Gazer |
Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[14][15] |
G0078 | Gorgon Group |
Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[16] |
S0531 | Grandoreiro |
Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.[17] |
S0170 | Helminth |
Helminth establishes persistence by creating a shortcut.[18] |
S0260 | InvisiMole |
InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.[19] |
S0265 | Kazuar | |
S0356 | KONNI |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[21] |
G0032 | Lazarus Group |
Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.[22][23] |
G0065 | Leviathan |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[24][25] |
S0652 | MarkiRAT |
MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.[26] |
S0339 | Micropsia | |
S0439 | Okrum |
Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.[28] |
S0172 | Reaver |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[29] |
S0153 | RedLeaves |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[30][31] |
S0270 | RogueRobin |
RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.[32][33] |
S0085 | S-Type |
S-Type may create the file |
S0053 | SeaDuke |
SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[35] |
S0028 | SHIPSHAPE |
SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[5] |
S0035 | SPACESHIP |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[5] |
S0058 | SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[36] |
S0603 | Stuxnet |
Stuxnet used copies of .lnk shortcuts to propagate through removable media.[37] |
S0004 | TinyZBot |
TinyZBot can create a shortcut in the Windows startup folder for persistence.[38] |
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management |
Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. [39] |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
File Modification | ||
DS0009 | Process | Process Creation |
Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.
Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.[40]