.svg)
.svg)
T1547.009 Shortcut Modification in MITRE ATT&CK Explained
| March 27, 2026
What Is T1547.009 Shortcut Modification in MITRE ATT&CK?
T1547.009 Shortcut Modification is a technique in the MITRE ATT&CK framework under the Persistence tactic. It involves the modification of shortcuts (typically .lnk files) in Windows to achieve persistence by ensuring that malicious programs or scripts are executed whenever the user interacts with the shortcut.
Shortcuts are commonly used to launch applications, but adversaries can alter them to point to malicious payloads, causing the target system to execute the malicious code whenever the shortcut is accessed. This method allows attackers to maintain access without altering the target program directly.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversary Use of T1547.009 Shortcut Modification
The adversary use of Shortcut Modification is a technique employed for achieving persistent execution by manipulating Windows Shell Link (.LNK) files and symbolic links that define program execution paths. The attack exploits the operating system's automatic processing of shortcuts during boot sequences and user login events.
To initiate the attack, an adversary must first achieve filesystem write access to strategic directories. The primary persistence mechanism targets the Windows Startup folder, located at:
|
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
|
The Windows Explorer shell automatically enumerates and executes all items within these directories during the user logon process via the userinit.exe initialization chain.
The .LNK file format, defined by the Microsoft Shell Link Binary File Format specification, contains structured data fields including the LinkTargetIDList and StringData structures. Adversaries manipulate the target path field to reference malicious executables while preserving legitimate icon resources and display names to evade visual inspection.
Procedure Examples Used by Adversaries in Red Report 2026
One example is based on the June 2025 documenting XDSpy operations, shortcut modification was implemented through sophisticated exploitation of Windows LNK file parsing mechanisms combined with multiple obfuscation layers.
The attack chain leveraged malicious .LNK files distributed within ZIP archives (named dokazatelstva[.]zip or proyekt[.]zip). These shortcuts exploited two critical Windows parsing vulnerabilities:
ZDI-CAN-25373 Exploitation
The LNK files padded command-line arguments with whitespace characters to exploit UI display limitations:
|
Target text box capacity: 259 characters maximum |
By inserting sufficient whitespace (259 minus executable path length, minimum 78 characters) before actual command arguments, the malicious commands were rendered invisible in Windows Explorer properties UI while remaining executable.
LNK Parsing Confusion (CWE-130)
XDSpy exploited discrepancies between the MS-SHLLINK specification and Windows implementation. The specification allows StringData fields up to 65,535 characters (2-byte CountCharacters field), but Windows implementation limits most strings to 259 characters. By crafting LNK files with:
|
NAME_STRING: >259 characters embedding valid command arguments at offset 260 |
Windows parsed arguments from character offset 260 in NAME_STRING, while specification-compliant parsers read the legitimate COMMAND_LINE_ARGUMENTS field, creating divergent execution paths.
Execution Chain
The LNK file executed a complex Windows shell one-liner that:
|
for /R "%USERPROFILE%" %f in (proyekt.zip) do ( |
This ensured automatic execution upon user login, maintaining the DLL sideloading chain and deploying the XDigo implant for persistent data exfiltration operations.
Validate Your Defenses Against the Red Report 2026 Threats
References
