- Tactics
- Persistence , Privilege Escalation
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1547.009
Description
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence, Privilege Escalation tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1134 — Access Token Manipulation
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions