Adversaries may use PowerShell to create startup shortcuts as a persistence mechanism, leveraging the technique T1547.001 to ensure persistence across reboots. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and compromise indicators early.
Detection Rule
title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains: '\start menu\programs\startup\'
TargetFilename|endswith: '.lnk'
condition: selection
falsepositives:
- Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high
imFileEvent
| where (TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe") and TargetFileName contains "\\start menu\\programs\\startup\\" and TargetFileName endswith ".lnk"Scenario: System Maintenance Task Creating Startup Shortcut
Description: A system administrator uses the built-in Task Scheduler to configure a legitimate maintenance script that creates a startup shortcut for system cleanup.
Filter/Exclusion: Check for Task Scheduler related processes or use a filter like ProcessName == "schtasks.exe" or CommandLine contains "schtasks".
Scenario: User-Initiated Shortcut Creation for Application Launch
Description: A user manually creates a startup shortcut for a legitimate application (e.g., Notepad++, Visual Studio) using PowerShell as part of their workflow.
Filter/Exclusion: Filter by User context (e.g., User == "Domain\User") or check for known legitimate applications in the CommandLine.
Scenario: Scheduled Job for Application Initialization
Description: A system admin sets up a scheduled job using schtasks.exe or Task Scheduler to run a PowerShell script that creates a shortcut for an application to start on boot.
Filter/Exclusion: Use ProcessName == "schtasks.exe" or check for Task Scheduler job names in the command line.
Scenario: PowerShell Script for Environment Setup
Description: A PowerShell script (e.g., SetupEnv.ps1) is run by an admin to configure the system environment, which includes creating shortcuts for tools like Wireshark or SQL Server.
Filter/Exclusion: Filter by script name or check for known admin tools in the CommandLine (e.g., Wireshark, SQLCMD).
Scenario: Group Policy Object (GPO) Deployment via PowerShell
Description: A GPO is configured to deploy a PowerShell script that creates startup shortcuts for enterprise tools (e.g., Microsoft Endpoint Manager, Intune) during