Esc
Shortcut Modification - T1547.009
(ATT&CK® Technique)
Definition
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1547009["Shortcut Modification"] --> |may-modify| SymbolicLink["Symbolic Link"]; class T1547009 OffensiveTechniqueNode;
class SymbolicLink ArtifactNode; click SymbolicLink href "/dao/artifact/d3f:SymbolicLink";
click T1547009 href "/offensive-technique/attack/T1547.009/"; click SymbolicLink href "/dao/artifact/d3f:SymbolicLink"; T1547009["Shortcut Modification"] --> |may-modify| UserStartupScriptFile["User Startup Script File"]; class T1547009 OffensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile";
click T1547009 href "/offensive-technique/attack/T1547.009/"; click UserStartupScriptFile href "/dao/artifact/d3f:UserStartupScriptFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SymbolicLink["Symbolic Link"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | UserStartupScriptFile["User Startup Script File"];
FileEviction["File Eviction"] -.->
| may-evict | T1547009["Shortcut Modification"] ;
class FileEviction DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SymbolicLink["Symbolic Link"];
class FileEviction DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; DecoyFile["Decoy File"] -->
| spoofs | SymbolicLink["Symbolic Link"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1547009["Shortcut Modification"] ;
class DecoyFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | UserStartupScriptFile["User Startup Script File"];
class DecoyFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] -->
| encrypts | SymbolicLink["Symbolic Link"];
FileEncryption["File Encryption"] -.->
| may-harden | T1547009["Shortcut Modification"] ;
class FileEncryption DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | UserStartupScriptFile["User Startup Script File"];
class FileEncryption DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SymbolicLink["Symbolic Link"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserStartupScriptFile["User Startup Script File"];
class LocalFilePermissions DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | SymbolicLink["Symbolic Link"];
RestoreFile["Restore File"] -.->
| may-restore | T1547009["Shortcut Modification"] ;
class RestoreFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | UserStartupScriptFile["User Startup Script File"];
class RestoreFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | SymbolicLink["Symbolic Link"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class FileAnalysis DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
class FileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserStartupScriptFile["User Startup Script File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SymbolicLink["Symbolic Link"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";