This persistence technique creates a LNK file and places it in the user's startup folder. In this module, you will provide a LNK file name and system command to execute.

Non-admin privileges

• -c - command to execute
• -a - arguments to command to execute (if applicable)
• -f - the file to create/delete
• -m - method (add, remove, check, list)

• LNK file will be created in the startup folder as the current user being ran as, which is in "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup".
• The icon for the LNK file will be the Internet Explorer icon
• LNK file is set to run minimized
• Modifies creation, modified, and last access time of lnk file to between 60 and 90 days before date of creation to prevent from being caught by recent file updated/added checks

• LNK file is removed from current user's startup folder

SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add

SharPersist -t startupfolder -f "Some File" -m remove

SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m check

SharPersist -t startupfolder -m list

• https://attack.mitre.org/techniques/T1060/