Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0510: Analytic 0510

Detection correlates file creation or modification of `.lnk` (shortcut) files in autostart locations with anomalous parent-child process lineage or unsigned binaries. Defenders should watch for LNK creation/modification events outside of known software installations, patch events, or OS updates. Flag shortcut targets pointing to suspicious locations or unknown binaries, particularly those written by script interpreters or spawned from phishing delivery chains.

EnterpriseAN0510AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because malicious or unauthorized Windows shortcut files in autostart locations can turn a single user action or software change into recurring execution after logon or reboot. For leaders, the decision value is whether the organization can distinguish normal software installation and update activity from suspicious persistence behavior involving .lnk files, especially when scripts or unusual parent processes create shortcuts that point to unknown or suspicious binaries.

Executive priority

Prioritize this as a Windows endpoint resilience and SOC readiness question: do teams collect enough endpoint evidence to prove that autostart shortcut changes are expected, signed, and tied to approved software activity? This supports incident response scoping, audit evidence for endpoint control monitoring, and budget decisions around endpoint telemetry quality rather than relying only on alert volume.

Technical view

Validate monitoring for Windows .lnk file creation or modification in autostart locations. Triage should correlate the file event with parent-child process lineage, signer status of involved binaries, and whether the activity aligns with known software installations, patching, or OS updates. Higher-priority cases include shortcut targets pointing to suspicious locations or unknown binaries, and .lnk files written by script interpreters or processes associated with phishing delivery chains. No ATT&CK tactic or relationship context was supplied, so local mapping to persistence or execution use cases should be handled by the detection team, not assumed from this object alone.

Likely telemetry

  • Windows endpoint file creation and modification events for .lnk files
  • File path context for autostart locations
  • Process creation telemetry with parent-child lineage
  • Binary signing or trust metadata
  • Shortcut target path and target binary metadata

Detection direction

  • Confirm that endpoint telemetry records .lnk creation and modification, not only process execution.
  • Tune known-good activity from approved installers, patch events, and operating system updates to reduce false positives.
  • Review parent processes that are script interpreters or otherwise unusual for creating autostart shortcuts.
  • Inspect shortcut targets for unknown binaries or suspicious locations.
  • Correlate file events with process lineage before escalating, because legitimate installers can create shortcuts in autostart locations.

Mitigation priorities

  • Maintain controlled software installation and patch processes so legitimate shortcut changes are explainable.
  • Ensure endpoint logging covers Windows autostart shortcut locations and relevant process lineage.
  • Use application trust, signing review, and approved software baselines to help separate known software from unknown binaries.
  • Feed confirmed suspicious cases into incident response playbooks for host scoping and persistence review.
  • Periodically test whether SOC workflows can investigate .lnk autostart changes end to end using collected telemetry.
Analyst notes and limits

The supplied object is a detection analytic for Windows and describes correlation logic rather than a full ATT&CK technique entry. Its value is strongest when paired with local knowledge of approved software deployment, update windows, endpoint visibility, and email/phishing investigation context.

No official detection block, tactics, aliases, labels, mitigations, relationships, or procedure examples were supplied. This take therefore avoids claims about adversary attribution, active exploitation, business impact, or guaranteed detection coverage. Local environment baselines are required to determine what is anomalous.

Official MITRE ATT&CK definition

Analytic 0510

Detection correlates file creation or modification of `.lnk` (shortcut) files in autostart locations with anomalous parent-child process lineage or unsigned binaries. Defenders should watch for LNK creation/modification events outside of known software installations, patch events, or OS updates. Flag shortcut targets pointing to suspicious locations or unknown binaries, particularly those written by script interpreters or spawned from phishing delivery chains.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9beff9299285f829...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9beff9299285…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0510
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use