Skip to content
Threat Feed
high advisory

Suspicious LNK File Creation in Temporary Directories

Detection of processes creating .lnk files in suspicious locations like user directories or temporary folders, often indicative of spear phishing or malware persistence mechanisms.

This threat brief focuses on detecting the creation of .lnk (shortcut) files in suspicious directories on Windows systems. Attackers frequently use this technique to establish persistence or execute malicious payloads disguised as legitimate shortcuts. The creation of .lnk files in locations like C:\Users\*, *\AppData\Local\Temp\*, *\Temp\*, and *\Windows\Temp\* is flagged as anomalous behavior, particularly when originating from unexpected processes. These shortcuts can be delivered via spear phishing attachments or created post-compromise to ensure continued access to the system. Defenders should prioritize monitoring for this activity, as it can lead to arbitrary code execution and further system compromise.

Attack Chain

  1. Initial Access: The attacker gains initial access, likely via spear phishing (T1566.002), delivering a malicious document or executable.
  2. Payload Delivery: The malicious document or executable drops a secondary payload onto the system.
  3. LNK File Creation: The dropped payload creates a .lnk file in a suspicious directory such as C:\Users\<username>\AppData\Local\Temp\.
  4. Shortcut Configuration: The .lnk file is configured to execute a malicious command or script, potentially using PowerShell or cmd.exe.
  5. Persistence: The .lnk file is designed to automatically execute upon user interaction (e.g., double-clicking the shortcut) or system startup.
  6. Code Execution: When the user clicks the .lnk file, the embedded command executes, initiating further malicious activity.
  7. Privilege Escalation (Optional): The attacker might attempt to escalate privileges using exploits or other techniques.
  8. Lateral Movement (Optional): The attacker expands their reach by moving laterally to other systems on the network.

Impact

Successful exploitation via malicious .lnk files can lead to significant damage, including unauthorized access to sensitive data, installation of malware, and complete system compromise. Organizations in all sectors are potentially vulnerable. The consequences of a successful attack include data theft, financial loss, reputational damage, and disruption of business operations.

Recommendation

  • Enable Sysmon Event ID 11 to monitor file creation events, specifically focusing on .lnk files (data_source).
  • Deploy the provided Sigma rule Suspicious LNK File Creation to detect the creation of .lnk files in suspicious locations (rules).
  • Investigate any alerts generated by the Sigma rule Suspicious LNK File Creation to determine the legitimacy of the .lnk file creation (rules).
  • Review and tune the exclusion list in the provided Sigma rule based on your organization's environment and software configurations (rules).
  • Educate users on the risks associated with opening untrusted .lnk files and attachments, especially those found in temporary directories (references).

Detection coverage 2

Suspicious LNK File Creation

high

Detects the creation of .lnk files in suspicious locations, which may indicate malicious activity.

sigma tactics: initial_access, persistence techniques: T1547.001, T1566.002 sources: file_event, windows

Process Creating LNK File in User Profile

medium

This rule detects processes that create .lnk files in user profile directories, excluding known good paths.

sigma tactics: initial_access, persistence techniques: T1547.001, T1566.002 sources: file_event, windows

Detection queries are available on the platform. Get full rules →