Suspicious LNK File Creation in Temporary Directories
Detection of processes creating .lnk files in suspicious locations like user directories or temporary folders, often indicative of spear phishing or malware persistence mechanisms.
This threat brief focuses on detecting the creation of .lnk (shortcut) files in suspicious directories on Windows systems. Attackers frequently use this technique to establish persistence or execute malicious payloads disguised as legitimate shortcuts. The creation of .lnk files in locations like C:\Users\*, *\AppData\Local\Temp\*, *\Temp\*, and *\Windows\Temp\* is flagged as anomalous behavior, particularly when originating from unexpected processes. These shortcuts can be delivered via spear phishing attachments or created post-compromise to ensure continued access to the system. Defenders should prioritize monitoring for this activity, as it can lead to arbitrary code execution and further system compromise.
Attack Chain
- Initial Access: The attacker gains initial access, likely via spear phishing (T1566.002), delivering a malicious document or executable.
- Payload Delivery: The malicious document or executable drops a secondary payload onto the system.
- LNK File Creation: The dropped payload creates a
.lnkfile in a suspicious directory such asC:\Users\<username>\AppData\Local\Temp\. - Shortcut Configuration: The
.lnkfile is configured to execute a malicious command or script, potentially using PowerShell or cmd.exe. - Persistence: The
.lnkfile is designed to automatically execute upon user interaction (e.g., double-clicking the shortcut) or system startup. - Code Execution: When the user clicks the
.lnkfile, the embedded command executes, initiating further malicious activity. - Privilege Escalation (Optional): The attacker might attempt to escalate privileges using exploits or other techniques.
- Lateral Movement (Optional): The attacker expands their reach by moving laterally to other systems on the network.
Impact
Successful exploitation via malicious .lnk files can lead to significant damage, including unauthorized access to sensitive data, installation of malware, and complete system compromise. Organizations in all sectors are potentially vulnerable. The consequences of a successful attack include data theft, financial loss, reputational damage, and disruption of business operations.
Recommendation
- Enable Sysmon Event ID 11 to monitor file creation events, specifically focusing on
.lnkfiles (data_source). - Deploy the provided Sigma rule
Suspicious LNK File Creationto detect the creation of.lnkfiles in suspicious locations (rules). - Investigate any alerts generated by the Sigma rule
Suspicious LNK File Creationto determine the legitimacy of the.lnkfile creation (rules). - Review and tune the exclusion list in the provided Sigma rule based on your organization's environment and software configurations (rules).
- Educate users on the risks associated with opening untrusted
.lnkfiles and attachments, especially those found in temporary directories (references).
Detection coverage 2
Suspicious LNK File Creation
highDetects the creation of .lnk files in suspicious locations, which may indicate malicious activity.
Process Creating LNK File in User Profile
mediumThis rule detects processes that create .lnk files in user profile directories, excluding known good paths.
Detection queries are available on the platform. Get full rules →