IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Shortcut File Written or Modified on Startup Folder
editShortcut File Written or Modified on Startup Folder
editIdentifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- endgame-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and
file.path : (
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*"
) and
not (
(process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "Send to OneNote.lnk") or
(process.name: "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk")
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
-
Sub-technique:
- Name: Registry Run Keys / Startup Folder
- ID: T1547.001
- Reference URL: https://attack.mitre.org/techniques/T1547/001/
-
Sub-technique:
- Name: Shortcut Modification
- ID: T1547.009
- Reference URL: https://attack.mitre.org/techniques/T1547/009/