{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shortcut/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["lnk","shortcut","persistence","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the creation of \u003ccode\u003e.lnk\u003c/code\u003e (shortcut) files in suspicious directories on Windows systems. Attackers frequently use this technique to establish persistence or execute malicious payloads disguised as legitimate shortcuts. The creation of \u003ccode\u003e.lnk\u003c/code\u003e files in locations like \u003ccode\u003eC:\\Users\\*\u003c/code\u003e, \u003ccode\u003e*\\AppData\\Local\\Temp\\*\u003c/code\u003e, \u003ccode\u003e*\\Temp\\*\u003c/code\u003e, and \u003ccode\u003e*\\Windows\\Temp\\*\u003c/code\u003e is flagged as anomalous behavior, particularly when originating from unexpected processes. These shortcuts can be delivered via spear phishing attachments or created post-compromise to ensure continued access to the system. Defenders should prioritize monitoring for this activity, as it can lead to arbitrary code execution and further system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access, likely via spear phishing (T1566.002), delivering a malicious document or executable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e The malicious document or executable drops a secondary payload onto the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLNK File Creation:\u003c/strong\u003e The dropped payload creates a \u003ccode\u003e.lnk\u003c/code\u003e file in a suspicious directory such as \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShortcut Configuration:\u003c/strong\u003e The \u003ccode\u003e.lnk\u003c/code\u003e file is configured to execute a malicious command or script, potentially using PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The \u003ccode\u003e.lnk\u003c/code\u003e file is designed to automatically execute upon user interaction (e.g., double-clicking the shortcut) or system startup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e When the user clicks the \u003ccode\u003e.lnk\u003c/code\u003e file, the embedded command executes, initiating further malicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker might attempt to escalate privileges using exploits or other techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker expands their reach by moving laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious \u003ccode\u003e.lnk\u003c/code\u003e files can lead to significant damage, including unauthorized access to sensitive data, installation of malware, and complete system compromise. Organizations in all sectors are potentially vulnerable. The consequences of a successful attack include data theft, financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 to monitor file creation events, specifically focusing on \u003ccode\u003e.lnk\u003c/code\u003e files (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eSuspicious LNK File Creation\u003c/code\u003e to detect the creation of \u003ccode\u003e.lnk\u003c/code\u003e files in suspicious locations (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eSuspicious LNK File Creation\u003c/code\u003e to determine the legitimacy of the \u003ccode\u003e.lnk\u003c/code\u003e file creation (rules).\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion list in the provided Sigma rule based on your organization's environment and software configurations (rules).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening untrusted \u003ccode\u003e.lnk\u003c/code\u003e files and attachments, especially those found in temporary directories (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-lnk-creation/","summary":"Detection of processes creating .lnk files in suspicious locations like user directories or temporary folders, often indicative of spear phishing or malware persistence mechanisms.","title":"Suspicious LNK File Creation in Temporary Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-lnk-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Shortcut","version":"https://jsonfeed.org/version/1.1"}