diff --git a/nursery/create-shortcut-via-ishelllink.yml b/persistence/create-shortcut-via-ishelllink.yml
similarity index 76%
rename from nursery/create-shortcut-via-ishelllink.yml
rename to persistence/create-shortcut-via-ishelllink.yml
index 9589f2941..94c2cbdad 100644
--- a/nursery/create-shortcut-via-ishelllink.yml
+++ b/persistence/create-shortcut-via-ishelllink.yml
@@ -1,12 +1,16 @@
 rule:
   meta:
     name: create shortcut via IShellLink
-    namespace: host-interaction/file-system/write
+    namespace: persistence
     authors:
       - matthew.williams@mandiant.com
     scope: function
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]
     references:
       - https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file
+    examples:
+      - 7f403f7d643d90c7cbadf3ccfc68bd1badf06f89a35af5fc7811920e820bbcc9:0x10001380
   features:
     - and:
       - bytes: 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink