title: PowerShell Writing Startup Shortcuts
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021/10/24
description: Attempts to detect PowerShell writing startup shortcuts. This procedure
    was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe
    adversaries using PowerShell to write malicious .lnk files into the startup directory
    to establish persistence. Accordingly, this detection opportunity is likely to
    identify persistence mechanisms in multiple threats. In the context of Yellow
    Cockatoo, this persistence mechanism eventually launches the command-line script
    that leads to the installation of a malicious DLL"
detection:
    SELECTION_1:
        EventID: 11
    SELECTION_2:
        Image: '*\powershell.exe'
    SELECTION_3:
        TargetFilename: '*\start menu\programs\startup\\*'
    SELECTION_4:
        TargetFilename: '*.lnk'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
- Depending on your environment accepted applications may leverage this at times.
    It is recomended to search for anomolies inidicative of malware.
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
level: high
logsource:
    category: file_event
    product: windows
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
status: experimental
tags:
- attack.registry_run_keys_/_startup_folder
- attack.t1547.001
yml_filename: sysmon_powershell_startup_shortcuts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event