MITRE ATT&CK: Shortcut modification


Most people love shortcuts — they make things faster and easier. This common passion is behind a lot of the conveniences we experience on a daily basis. Shortcuts have impacted modern computers as well, with the Windows shortcut being an aspect that is widely used by many. Attackers also prefer the use of shortcuts and use them to help with persistence on a compromised machine through the use of an attack technique known as shortcut modification. This technique is one of the many listed in the MITRE ATT&CK Matrix. 

This article will detail this attack technique and will explore the MITRE ATT&CK matrix, shortcut modification, how shortcut modification works, mitigation, detection and some real-world examples of this attack technique.


MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. 

More information on the MITRE ATT&CK matrix can be found here.

What is shortcut modification?

Shortcuts, also known as symbolic links, are an aspect of operating systems that allow for the referencing of other files, applications or programs. When it is clicked or executing during system startup, what is referenced becomes opened (if a file) or executed (if an application or program). Attackers use this inherent aspect of systems during persistence by executing attack tools with it. The motivation for this attack technique is (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: