Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Sigma rule (View on GitHub)

 1title: Potential Startup Shortcut Persistence Via PowerShell.EXE
 2id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 3status: test
 4description: |
 5    Detects PowerShell writing startup shortcuts.
 6    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
 7    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
 8    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"    
 9references:
10    - https://redcanary.com/blog/intelligence-insights-october-2021/
11    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
12author: Christopher Peacock '@securepeacock', SCYTHE
13date: 2021-10-24
14modified: 2023-02-23
15tags:
16    - attack.persistence
17    - attack.t1547.001
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection:
23        Image|endswith:
24            - '\powershell.exe'
25            - '\pwsh.exe'
26        TargetFilename|contains: '\start menu\programs\startup\'
27        TargetFilename|endswith: '.lnk'
28    condition: selection
29falsepositives:
30    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
31level: high

References

Related rules

to-top