Merge pull request #2191 from securepeacock/patch-3

Create sysmon_powershell_startup_shortcuts.yml

rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml

@@ -0,0 +1,25 @@
+title: PowerShell Writing Startup Shortcuts
+id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
+description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
+status: experimental
+references: 
+    - https://redcanary.com/blog/intelligence-insights-october-2021/
+    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+tags:
+    - attack.registry_run_keys_/_startup_folder
+    - attack.t1547.001
+date: 2021/10/24
+author: Christopher Peacock '@securepeacock', SCYTHE
+level: high
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\powershell.exe'
+        TargetFilename|contains: '\start menu\programs\startup\'
+        TargetFilename|endswith: '.lnk'
+    condition: selection
+falsepositives:
+    - Unknown
+    - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.