Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
Sigma rule (View on GitHub)
1title: Potential Startup Shortcut Persistence Via PowerShell.EXE
2id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
3status: test
4description: |
5 Detects PowerShell writing startup shortcuts.
6 This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
7 Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
8 In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
9references:
10 - https://redcanary.com/blog/intelligence-insights-october-2021/
11 - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
12author: Christopher Peacock '@securepeacock', SCYTHE
13date: 2021-10-24
14modified: 2023-02-23
15tags:
16 - attack.persistence
17 - attack.t1547.001
18logsource:
19 product: windows
20 category: file_event
21detection:
22 selection:
23 Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 TargetFilename|contains: '\start menu\programs\startup\'
27 TargetFilename|endswith: '.lnk'
28 condition: selection
29falsepositives:
30 - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
31level: high
References
-
Yellow Cockatoo takes flight again, ZLoader changes tactics, BlackByte emerges, and Conti demonstrates ransomware is not gone.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification