Skip to content

Hide Navigation Hide TOC

Potential Startup Shortcut Persistence Via PowerShell.EXE (92fa78e7-4d39-45f1-91a3-8b23f3f1088d)

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Startup Shortcut Persistence Via PowerShell.EXE (92fa78e7-4d39-45f1-91a3-8b23f3f1088d) Sigma-Rules Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2