Shortcut Modification

From enterprise
Jump to: navigation, search
Shortcut Modification
Technique
ID T1023
Tactic Persistence
Platform Windows
Permissions Required User, Administrator
Data Sources File monitoring, Process command-line parameters, Process monitoring
Contributors Travis Smith, Tripwire

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

Examples

  • A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.1
  • Leviathan has used a JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.23
  • BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.4
  • The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.5
  • Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe. 67
  • Helminth establishes persistence by creating a shortcut.8
  • Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.9
  • S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.10
  • SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.4
  • SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.4
  • SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.11
  • To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.12
  • TinyZBot can create a shortcut in the Windows startup folder for persistence.13

Mitigation

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.14

Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting15 tools, like AppLocker,1617 or Software Restriction Policies18 where appropriate.19

Detection

Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

References