Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.
Sigma rule (View on GitHub)
1title: Suspicious LNK Command-Line Padding with Whitespace Characters
2id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
3status: experimental
4description: |
5 Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
6 Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
7 The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
8 This rule flags suspicious use of such padding observed in real-world attacks.
9references:
10 - https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
11 - https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
12 - https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-03-19
15tags:
16 - attack.initial-access
17 - attack.execution
18 - attack.t1204.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - ParentImage|endswith: '\explorer.exe'
25 - ParentCommandLine|contains: '.lnk'
26 selection_cmd:
27 - CommandLine|contains:
28 - ' ' # Padding of SPACE (0x20)
29 # - ' ' # Horizontal Tab (0x9)
30 - '\u0009'
31 - '\u000A' # Line Feed
32 - '\u0011'
33 - '\u0012'
34 - '\u0013'
35 - '\u000B' # Vertical Tab
36 - '\u000C' # \x0C
37 - '\u000D' # \x0D
38 - CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
39 condition: all of selection_*
40falsepositives:
41 - Unknown
42level: high
References
-
Let’s dig into the file format of an LNK file and look how to view and parse them. We’ll also review a few ways threat actors use LNKs!
Read More -
Microsoft’s unpatched Windows flaw (ZDI-CAN-25373) has been exploited by 11 state-backed groups since 2017, enabling espionage and data theft via .LNK
Read More -
Trend Zero Day Initiative™ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373 (aka ZDI-25-148), a Windows .lnk file vulnerability that enables hidden command execution.
Read More
Related rules
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759