{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lnk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40029"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command injection","lnk","parseusbs","cve-2026-40029"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eparseusbs before version 1.9 is susceptible to an OS command injection vulnerability (CVE-2026-40029) within the \u003ccode\u003eparseUSBs.py\u003c/code\u003e script. This flaw arises from the program\u0026rsquo;s failure to sanitize LNK file paths before passing them to the \u003ccode\u003eos.popen()\u003c/code\u003e function. This allows an attacker to craft malicious .lnk filenames containing shell metacharacters. When \u003ccode\u003eparseusbs\u003c/code\u003e processes a USB drive containing such a file, the specially crafted filename is interpreted as a command, leading to arbitrary command execution on the system of the forensic examiner using the tool. The vulnerable versions of parseusbs are used by security professionals for USB forensic analysis, making successful exploitation dangerous for those running the tool.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .lnk file. The filename includes shell metacharacters designed to execute arbitrary commands. For example, a filename could be \u003ccode\u003etest.lnk; rm -rf /tmp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker places the crafted .lnk file onto a USB drive.\u003c/li\u003e\n\u003cli\u003eA forensic examiner uses parseusbs (version before 1.9) to analyze the USB drive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseUSBs.py\u003c/code\u003e script processes the files on the USB drive, including the malicious .lnk file.\u003c/li\u003e\n\u003cli\u003eThe script extracts the .lnk file path without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized .lnk file path is passed to the \u003ccode\u003eos.popen()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.popen()\u003c/code\u003e function interprets the shell metacharacters in the filename, executing the attacker\u0026rsquo;s injected command.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the examiner\u0026rsquo;s system, allowing them to potentially compromise the system, steal sensitive data, or further pivot into the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system of a forensic examiner using \u003ccode\u003eparseusbs\u003c/code\u003e. This could lead to complete system compromise, data exfiltration, or further malicious activities. Given that \u003ccode\u003eparseusbs\u003c/code\u003e is a tool used by security professionals, a successful attack could have significant consequences, potentially exposing sensitive forensic data. The impact is particularly severe as the examiner likely has access to sensitive information related to their investigations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eparseusbs\u003c/code\u003e to version 1.9 or later to remediate CVE-2026-40029.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by Python (\u003ccode\u003epython.exe\u003c/code\u003e or \u003ccode\u003epython3\u003c/code\u003e). Use the Sigma rule \u0026ldquo;Detect Suspicious Process Creation by Python\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for LNK files, particularly those found on USB drives. The Sigma rule \u0026ldquo;Detect Creation of LNK Files in Removable Media\u0026rdquo; can help identify suspicious LNK file creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:23Z","date_published":"2026-04-08T22:16:23Z","id":"/briefs/2026-04-parseusbs-cmd-injection/","summary":"parseusbs before 1.9 is vulnerable to OS command injection in parseUSBs.py due to unsanitized LNK file paths passed to os.popen(), allowing arbitrary command execution via crafted .lnk filenames.","title":"parseusbs Unsanitized LNK File Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-parseusbs-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","lnk","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file\u0026rsquo;s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser receives a phishing email containing a malicious .lnk file.\u003c/li\u003e\n\u003cli\u003eThe user downloads the .lnk file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows OS marks the file with a Zone Identifier indicating it came from an external source.\u003c/li\u003e\n\u003cli\u003eThe user double-clicks the .lnk file, triggering its execution.\u003c/li\u003e\n\u003cli\u003eThe .lnk file executes embedded commands, such as PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe command downloads and executes a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the infected host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of the user\u0026rsquo;s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network.  The severity of the impact depends on the privileges of the compromised user account and the attacker\u0026rsquo;s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Downloaded Shortcut Files\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to capture the necessary file creation events for the rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.\u003c/li\u003e\n\u003cli\u003eUpdate security policies to restrict the execution of .lnk files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:32Z","date_published":"2024-01-03T18:22:32Z","id":"/briefs/2024-01-downloaded-lnk/","summary":"This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.","title":"Detection of Downloaded Shortcut Files","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-lnk/"}],"language":"en","title":"CraftedSignal Threat Feed — Lnk","version":"https://jsonfeed.org/version/1.1"}