{
	"id": "88dd425a-0fec-4b25-86f3-66cbd57394a7",
	"created_at": "2026-04-06T00:21:35.448323Z",
	"updated_at": "2026-04-10T03:21:24.735397Z",
	"deleted_at": null,
	"sha1_hash": "548be8d958f352c013e87ba8c4b74ae63625fcd6",
	"title": "Shortcut File Written or Modified for Persistence | Elastic Security [7.17]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49393,
	"plain_text": "Shortcut File Written or Modified for Persistence | Elastic Security\r\n[7.17]\r\nArchived: 2026-04-05 23:04:23 UTC\r\nShortcut File Written or Modified for Persistence\r\nedit\r\nIdentifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use\r\nthis technique to maintain persistence.\r\nRule type: eql\r\nRule indices:\r\nwinlogbeat-*\r\nlogs-endpoint.events.*\r\nlogs-windows.*\r\nSeverity: medium\r\nRisk score: 47\r\nRuns every: 5 minutes\r\nSearches indices from: now-9m (Date Math format, see also Additional look-back time )\r\nMaximum alerts per execution: 100\r\nTags:\r\nElastic\r\nHost\r\nWindows\r\nThreat Detection\r\nPersistence\r\nVersion: 3 (version history)\r\nAdded (Elastic Stack release): 7.11.0\r\nLast modified (Elastic Stack release): 7.12.0\r\nRule authors: Elastic\r\nhttps://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence\r\nPage 1 of 2\n\nRule license: Elastic License v2\r\nfile where event.type != \"deletion\" and user.domain != \"NT\r\nAUTHORITY\" and file.path :\r\n(\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\\\\*\",\r\n\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\StartUp\\\\*\") and process.name : (\"cmd.exe\",\r\n\"powershell.exe\", \"wmic.exe\",\r\n\"mshta.exe\", \"pwsh.exe\",\r\n\"cscript.exe\", \"wscript.exe\",\r\n\"regsvr32.exe\", \"RegAsm.exe\",\r\n\"rundll32.exe\", \"EQNEDT32.EXE\",\r\n\"WINWORD.EXE\", \"EXCEL.EXE\",\r\n\"POWERPNT.EXE\", \"MSPUB.EXE\",\r\n\"MSACCESS.EXE\", \"iexplore.exe\",\r\n\"InstallUtil.exe\")\r\nFramework: MITRE ATT\u0026CKTM\r\nTactic:\r\nName: Persistence\r\nID: TA0003\r\nReference URL: https://attack.mitre.org/tactics/TA0003/\r\nTechnique:\r\nName: Boot or Logon Autostart Execution\r\nID: T1547\r\nReference URL: https://attack.mitre.org/techniques/T1547/\r\nVersion 3 (7.12.0 release)\r\nFormatting only\r\nVersion 2 (7.11.2 release)\r\nFormatting only\r\nSource: https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-f\r\nor-persistence\r\nhttps://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence"
	],
	"report_names": [
		"shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence"
	],
	"threat_actors": [],
	"ts_created_at": 1775434895,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/548be8d958f352c013e87ba8c4b74ae63625fcd6.pdf",
		"text": "https://archive.orkl.eu/548be8d958f352c013e87ba8c4b74ae63625fcd6.txt",
		"img": "https://archive.orkl.eu/548be8d958f352c013e87ba8c4b74ae63625fcd6.jpg"
	}
}