Potential Startup Shortcut Persistence Via PowerShell.EXE

 1title: Potential Startup Shortcut Persistence Via PowerShell.EXE
 2id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 3status: test
 4description: |
 5    Detects PowerShell writing startup shortcuts.
 6    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
 7    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
 8    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"    
 9references:
10    - https://redcanary.com/blog/intelligence-insights-october-2021/
11    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
12author: Christopher Peacock '@securepeacock', SCYTHE
13date: 2021-10-24
14modified: 2023-02-23
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1547.001
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection:
24        Image|endswith:
25            - '\powershell.exe'
26            - '\pwsh.exe'
27        TargetFilename|contains: '\start menu\programs\startup\'
28        TargetFilename|endswith: '.lnk'
29    condition: selection
30falsepositives:
31    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
32level: high