T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
Author: Stefan Waldvogel
LimaCharlie vs. Account Manipulation
Overview:
Description from ATT&CK
Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.009 -ShowDetailsBrief
Invoke-AtomicTest T1547.009 -CheckPrereqs
Invoke-AtomicTest T1547.009 -GetPrereqs
Invoke-AtomicTest T1547.009 -TestNumbers 1
Invoke-AtomicTest T1547.009 -Cleanup
Changes:
-none-
Limitations:
-none-
Results:
This section has 2 subtests.
Invoke-AtomicTest T1547.009 -TestNumbers 1, sigma detected as Suspicious Calculator Usage
Invoke-AtomicTest T1547.009 -TestNumbers 2 soteria detected as NEW COM, sigma powershell
Description from ATT&CK
Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.009 -ShowDetailsBrief
Invoke-AtomicTest T1547.009 -CheckPrereqs
Invoke-AtomicTest T1547.009 -GetPrereqs
Invoke-AtomicTest T1547.009 -TestNumbers 1
Invoke-AtomicTest T1547.009 -Cleanup
Changes:
-none-
Limitations:
-none-
Results:
This section has 2 subtests.
Invoke-AtomicTest T1547.009 -TestNumbers 1, sigma detected as Suspicious Calculator Usage
Invoke-AtomicTest T1547.009 -TestNumbers 2 soteria detected as NEW COM, sigma powershell
© 2021. This work is licensed under a CC BY-SA 4.0 license