Shortcut Modification

From ATT&CK
Jump to: navigation, search
Shortcut Modification
Technique
ID T1023
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required User, Administrator
Data Sources File monitoring, Process command-line parameters, Process monitoring

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

Examples

  • APT29 used .lnk files to establish persistence.1
  • TinyZBot can create a shortcut in the Windows startup folder for persistence.2
  • SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.3
  • BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.3
  • SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.3
  • SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.4
  • To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.5
  • S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.6
  • The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.7

Mitigation

Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting8 tools, like AppLocker,910 or Software Restriction Policies11 where appropriate.12

Detection

Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.