Lnk

parseusbs before 1.9 is vulnerable to OS command injection in parseUSBs.py due to unsanitized LNK file paths passed to os.popen(), allowing arbitrary command execution via crafted .lnk filenames.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.