Esc
Shortcut Modification - T1547.009
(ATT&CK® Technique)
Definition
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1547009["Shortcut Modification"] --> |may-modify| SymbolicLink["Symbolic Link"]; class T1547009 OffensiveTechniqueNode;
class SymbolicLink ArtifactNode; click SymbolicLink href "../../../dao/artifact/d3f:SymbolicLink";
click T1547009 href "../../../offensive-technique/attack/T1547.009/"; click SymbolicLink href "../../../dao/artifact/d3f:SymbolicLink"; T1547009["Shortcut Modification"] --> |may-modify| UserStartupScriptFile["User Startup Script File"]; class T1547009 OffensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode; click UserStartupScriptFile href "../../../dao/artifact/d3f:UserStartupScriptFile";
click T1547009 href "../../../offensive-technique/attack/T1547.009/"; click UserStartupScriptFile href "../../../dao/artifact/d3f:UserStartupScriptFile"; DecoyFile["Decoy File"] -->
| spoofs | SymbolicLink["Symbolic Link"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1547009["Shortcut Modification"] ;
class DecoyFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | UserStartupScriptFile["User Startup Script File"];
class DecoyFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SymbolicLink["Symbolic Link"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | SymbolicLink["Symbolic Link"];
FileEviction["File Eviction"] -.->
| may-evict | T1547009["Shortcut Modification"] ;
class FileEviction DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | UserStartupScriptFile["User Startup Script File"];
class FileEviction DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; ContentQuarantine["Content Quarantine"] -->
| quarantines | UserStartupScriptFile["User Startup Script File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ContentQuarantine DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | UserStartupScriptFile["User Startup Script File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ContentModification DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | SymbolicLink["Symbolic Link"];
class ContentModification DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | SymbolicLink["Symbolic Link"];
class ContentQuarantine DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; FileEncryption["File Encryption"] -->
| encrypts | SymbolicLink["Symbolic Link"];
FileEncryption["File Encryption"] -.->
| may-harden | T1547009["Shortcut Modification"] ;
class FileEncryption DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | UserStartupScriptFile["User Startup Script File"];
class FileEncryption DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
| restores | SymbolicLink["Symbolic Link"];
RestoreFile["Restore File"] -.->
| may-restore | T1547009["Shortcut Modification"] ;
class RestoreFile DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | UserStartupScriptFile["User Startup Script File"];
class RestoreFile DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserStartupScriptFile["User Startup Script File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserStartupScriptFile["User Startup Script File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; FileAnalysis["File Analysis"] -->
| analyzes | SymbolicLink["Symbolic Link"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1547009["Shortcut Modification"] ;
class FileAnalysis DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | UserStartupScriptFile["User Startup Script File"];
class FileAnalysis DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | UserStartupScriptFile["User Startup Script File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class ContentFiltering DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | SymbolicLink["Symbolic Link"];
class ContentFiltering DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SymbolicLink["Symbolic Link"];
class LocalFilePermissions DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SymbolicLink["Symbolic Link"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1547009["Shortcut Modification"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SymbolicLink ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserStartupScriptFile["User Startup Script File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserStartupScriptFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";