Attachment: LNK file

calendar Aug 21, 2023  ·
Share on: linkedin copy

Recursively scans files and archives to detect LNK connection files.

LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.

Sublime rule (View on GitHub)

 1name: "Attachment: LNK file"
 2description: |
 3  Recursively scans files and archives to detect LNK connection files.
 4
 5  LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.  
 6references:
 7  - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
 8  - "https://delivr.to/payloads?id=a9f91563-a31f-49f4-9e6c-c6a9fe8095c4"
 9  - "https://delivr.to/payloads?id=db034beb-1909-421f-85d0-98fdc37da5f3"
10type: "rule"
11authors:
12  - twitter: "ajpc500"
13severity: "high"
14source: |
15  type.inbound
16  and any(attachments,
17          .file_extension =~ "lnk"
18          or (
19            .file_extension in~ $file_extensions_common_archives
20            and any(file.explode(.), .file_extension =~ "lnk")
21          )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "LNK"
27detection_methods:
28  - "Archive analysis"
29  - "File analysis"
30id: "44532abe-f65f-54e6-afe2-d4589e4253ae"
to-top