Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Christopher Peacock, SCYTHECreated Sun Oct 24Updated Thu Feb 2392fa78e7-4d39-45f1-91a3-8b23f3f1088dwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains: '\start menu\programs\startup\'
        TargetFilename|endswith: '.lnk'
    condition: selection
False Positives

Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.

References
1
Resolving title…
redcanary.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
92fa78e7-4d39-45f1-91a3-8b23f3f1088d
Status
test
Level
high
Type
Detection
Created
Sun Oct 24
Modified
Thu Feb 23
Author
Christopher Peacock, SCYTHE
Path
rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub