Techniques
Sample rules
Potential Startup Shortcut Persistence Via PowerShell.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, “We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL”
Detection logic
condition: selection
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
TargetFilename|contains: \start menu\programs\startup\
TargetFilename|endswith: .lnk