Attachment: LNK with embedded content
Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.
Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
Sublime rule (View on GitHub)
1name: "Attachment: LNK with embedded content"
2description: |
3 Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.
4
5 Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
6references:
7 - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
8 - "https://www.x86matthew.com/view_post?id=embed_exe_lnk"
9type: "rule"
10authors:
11 - twitter: "ajpc500"
12severity: "high"
13source: |
14 type.inbound
15 and (
16 any(attachments,
17 .file_extension == "lnk"
18 and any(file.explode(.),
19 .file_extension =~ "lnk"
20 and any(.scan.exiftool.fields, (.key == "TargetFileSize" and .value == "0"))
21 and any(.scan.exiftool.fields,
22 (
23 .key == "CommandLineArguments"
24 and strings.ilike(.value, "*findstr*", "*sc $path*", "*Set-Content*")
25 )
26 )
27 )
28 )
29 )
30tags:
31 - "Malfam: Emotet"
32attack_types:
33 - "Malware/Ransomware"
34tactics_and_techniques:
35 - "Exploit"
36 - "LNK"
37 - "Scripting"
38detection_methods:
39 - "Content analysis"
40 - "Exif analysis"
41 - "File analysis"
42id: "41452f7a-c77d-5259-a5fb-91b1b4419364"