DET0180: Detection Strategy for T1547.009 – Shortcut Modification (Windows)
DET0180 is a MITRE detection strategy tied to Windows Shortcut Modification, a persistence and privilege-escalation behavior where shortcuts can be created...
Analyst context for executives and security teams
DET0180 is a MITRE detection strategy tied to Windows Shortcut Modification, a persistence and privilege-escalation behavior where shortcuts can be created or changed so programs run at boot, login, or when a shortcut is executed. For leaders, the value is not the shortcut itself; it is whether the organization can prove it would notice unexpected changes to startup-related shortcuts before they become durable footholds.
Executive priority
Prioritize this as an endpoint resilience and incident-readiness question: do SOC and IR teams have evidence showing who changed startup shortcuts, what those shortcuts launch, and whether execution followed at login or boot? Because the official detection-strategy object has no detailed detection text, leadership should treat coverage as something to validate locally rather than assume from ATT&CK mapping alone.
Technical view
This detection strategy detects T1547.009 Shortcut Modification in the enterprise ATT&CK domain. The related technique is Windows-focused and mapped to persistence and privilege escalation. Detection engineering should validate monitoring for shortcut creation or modification in startup-relevant locations, changes to shortcut targets, and subsequent execution around user login or system startup. IR teams should preserve shortcut files, target paths, timestamps, owning user context, and process execution evidence to determine whether the shortcut was benign administration, normal software behavior, or suspicious persistence.
Likely telemetry
- Windows file creation and modification events for shortcut files, especially in startup-related locations
- Shortcut file metadata, including target path, arguments, timestamps, and owning user context
- Endpoint process execution telemetry showing programs launched during user login or system startup
- EDR or host audit records linking shortcut changes to the process and account that made them
- File integrity or configuration monitoring evidence for startup folders where available
Detection direction
- Confirm that detection logic is scoped to Windows environments because the related ATT&CK technique platform is Windows.
- Baseline expected shortcut changes from software installation, updates, user customization, and administrative activity to reduce false positives.
- Correlate shortcut modification with later execution at boot, login, or shortcut launch rather than alerting only on file writes.
- Review blind spots where endpoint logging captures process execution but not file-content changes or shortcut target details.
- Use the relationship to T1547.009 to ensure alerts are triaged as possible persistence or privilege-escalation activity, not merely generic file modification.
Mitigation priorities
- Inventory and monitor startup-related shortcut locations on Windows endpoints.
- Restrict unnecessary user or process write access to startup locations where operationally feasible.
- Require endpoint telemetry retention sufficient for IR teams to reconstruct shortcut creation, modification, and execution timelines.
- Include shortcut-based persistence checks in incident response playbooks and endpoint hardening reviews.
- Use detection validation or purple-team-style testing in a controlled environment to confirm that expected telemetry is collected and alert logic works.
Analyst notes and limits
The supplied MITRE object is a detection strategy record for DET0180 and has no official description or detection text. The practical guidance here is derived from the official relationship to T1547.009 Shortcut Modification and its supplied description, tactics, and Windows platform context.
This take cannot confirm specific analytic logic, data sources, alert thresholds, vendor coverage, prevalence, or active exploitation because those details are not provided in the supplied ATT&CK fields. Local endpoint architecture, logging policy, and startup-folder usage must be reviewed before making coverage claims.
Detection Strategy for T1547.009 – Shortcut Modification (Windows)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | This object detects Shortcut Modification. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f212cf665e67… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0180Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.