Shortcut Modification

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

ID: T1023
Tactic: Persistence
Platform: Windows
Permissions Required: User, Administrator
Data Sources: File monitoring, Process monitoring, Process command-line parameters
CAPEC ID: CAPEC-132
Contributors: Travis Smith, Tripwire
Version: 1.0

Procedure Examples

Name Description
APT29

APT29 drops a Windows shortcut file for execution.[29]

APT39

APT39 has modified LNK shortcuts.[30]

Astaroth

Astaroth's initial payload is a malicious .LNK file.(Citation :Cybereason Astaroth Feb 2019)[21]

BACKSPACE

BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[11]

BlackEnergy

The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[6]

Comnie

Comnie establishes persistence via a .lnk file in the victim’s startup path.[16]

Darkhotel

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[28]

Dragonfly 2.0

Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.[27]

Empire

Empire can persist by modifying a .LNK file to include a backdoor.[1]

FELIXROOT

FELIXROOT creates a .LNK file for persistence.[15]

FIN7

FIN7 created several .LNK files on the victim's machine.[23]

Gazer

Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[12][13]

Gorgon Group

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[22]

Helminth

Helminth establishes persistence by creating a shortcut.[10]

Kazuar

Kazuar adds a .lnk file to the Windows startup folder.[4]

KONNI

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[14]

Lazarus Group

A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.[26]

Leviathan

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[24][25]

Micropsia

Micropsia creates a shortcut to maintain persistence.[20]

Reaver

Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[17]

RedLeaves

RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[18][19]

RogueRobin

RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.[2][3]

S-Type

S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {{Unique Identifier}}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.[5]

SeaDuke

SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[7]

SHIPSHAPE

SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[11]

SPACESHIP

SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[11]

SslMM

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[9]

TinyZBot

TinyZBot can create a shortcut in the Windows startup folder for persistence.[8]

Mitigations

Mitigation Description
User Account Management

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.

Detection

Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

References

  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  2. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  3. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  4. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  5. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  6. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  7. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  8. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  9. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  10. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  11. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  12. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  13. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  14. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  15. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  1. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  2. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  3. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  4. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  5. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  6. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  7. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  8. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  9. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  10. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  11. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  12. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  13. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  14. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  15. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.