This detection rule monitors the use of PowerShell for creating startup shortcut files (.lnk) in the Windows startup directory, a known method used by threat actors to establish persistence on compromised systems. As detailed in the Red Canary Intel Insights from October 2021, adversaries often utilize PowerShell scripts to write these malicious .lnk files, which trigger the execution of further commands upon user login. This detection is particularly relevant for identifying similar persistence mechanisms across various threats, exemplified here by the Yellow Cockatoo attack scenario where the shortcut eventually leads to a malicious DLL installation. The rule analyzes events where PowerShell or its variants are used to create shortcuts in the startup folder, allowing defenders to catch and respond to potentially malicious ongoing activities before significant harm can occur.