Shortcut Modification

From enterprise
Jump to: navigation, search
Shortcut Modification
ID T1023
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User, Administrator
Data Sources File monitoring, Process command-line parameters, Process monitoring

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.


  • BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.1
  • The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.2
  • S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.3
  • SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.1
  • SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.1
  • SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.4
  • To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.5
  • TinyZBot can create a shortcut in the Windows startup folder for persistence.6


Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting7 tools, like AppLocker,89 or Software Restriction Policies10 where appropriate.11


Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.