Attachment: LNK file
Recursively scans files and archives to detect LNK connection files.
LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.
Sublime rule (View on GitHub)
1name: "Attachment: LNK file"
2description: |
3 Recursively scans files and archives to detect LNK connection files.
4
5 LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.
6references:
7 - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
8 - "https://delivr.to/payloads?id=a9f91563-a31f-49f4-9e6c-c6a9fe8095c4"
9 - "https://delivr.to/payloads?id=db034beb-1909-421f-85d0-98fdc37da5f3"
10type: "rule"
11authors:
12 - twitter: "ajpc500"
13severity: "high"
14source: |
15 type.inbound
16 and any(attachments,
17 .file_extension =~ "lnk"
18 or (
19 .file_extension in~ $file_extensions_common_archives
20 and any(file.explode(.), .file_extension =~ "lnk")
21 )
22 )
23attack_types:
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "LNK"
27detection_methods:
28 - "Archive analysis"
29 - "File analysis"
30id: "44532abe-f65f-54e6-afe2-d4589e4253ae"