Skip to content
Threat Feed
medium advisory

Detection of Downloaded Shortcut Files

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

This detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file’s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.

Attack Chain

  1. User receives a phishing email containing a malicious .lnk file.
  2. The user downloads the .lnk file to their Windows system.
  3. The Windows OS marks the file with a Zone Identifier indicating it came from an external source.
  4. The user double-clicks the .lnk file, triggering its execution.
  5. The .lnk file executes embedded commands, such as PowerShell or cmd.exe.
  6. The command downloads and executes a malicious payload from a remote server.
  7. The payload establishes persistence on the compromised system.
  8. The attacker gains remote access and control over the infected host.

Impact

A successful attack can lead to the compromise of the user’s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the compromised user account and the attacker’s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.

Recommendation

  • Deploy the Sigma rule “Downloaded Shortcut Files” to your SIEM and tune for your environment.
  • Enable Elastic Defend to capture the necessary file creation events for the rule to function.
  • Investigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.
  • Update security policies to restrict the execution of .lnk files from untrusted sources.
  • Educate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.

Detection coverage 2

Downloaded Shortcut Files

medium

Detects the creation of downloaded .lnk shortcut files based on zone identifier.

sigma tactics: execution, initial_access techniques: T1204.002, T1566.001 sources: file_event, windows

Suspicious Process Execution via Downloaded LNK

high

Detects suspicious processes spawned by downloaded .lnk files.

sigma tactics: execution techniques: T1204.002 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →