Detection rules › Sigma
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
TargetFilename|endswith: .lnk
TargetFilename|contains: '\start menu\programs\startup\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|
TargetFilename | match |
|