Merge pull request #807 from jtothej/shortcut

Update metadata and promote create-shortcut-via-ishelllink.yml
mandiant · Aug 1, 2023 · 3f39a45 · 3f39a45
2 parents 6691e9b + 127330a
commit 3f39a45
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/nursery/create-shortcut-via-ishelllink.yml → ...stence/create-shortcut-via-ishelllink.yml b/nursery/create-shortcut-via-ishelllink.yml → ...stence/create-shortcut-via-ishelllink.yml
@@ -1,12 +1,16 @@
 rule:
   meta:
     name: create shortcut via IShellLink
-    namespace: host-interaction/file-system/write
+    namespace: persistence
     authors:
       - matthew.williams@mandiant.com
     scope: function
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]
     references:
       - https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file
+    examples:
+      - 7f403f7d643d90c7cbadf3ccfc68bd1badf06f89a35af5fc7811920e820bbcc9:0x10001380
   features:
     - and:
       - bytes: 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink