Skip Nav
The 4N6 Post
File and Folder Opening - Link Files (lnk)

Windows users are likely familiar with .lnk files, also known as LNK Link files. These files are shortcuts that point to another file or folder on the computer, allowing users to quickly access their desired content. While LNK files are a convenient feature in Windows, they can also be exploited by malicious actors. In this post, we'll explore LNK files, their normal use cases, and how they can be exploited by cybercriminals.

 

Understanding LNK files

A .lnk file is a file shortcut in Windows that contains information about the location of the file or folder that it points to. These files have a .lnk extension and are typically created when a user right-clicks on a file or folder and selects "Create shortcut." The LNK file then appears in the same location as the original file or folder, but with a different icon. If this shortcut is activating a program the icon will generally take shape of the program. An example would be the powershell icon would be used on the lnk if you start with powershell.exe.

When a user double-clicks on an LNK file, the shortcut opens the file or folder that it points to. LNK files can be useful for users who frequently access certain files or folders, as they provide a quick and convenient way to do so. However, lnk's are not tracked the same within windows as using a lnk file is unique. Think of one as double clicking the thing you are actually using instead of a file. This isn't 100% for all features and may change between windows versions, making digital forensics and tracking potentially annoying over time.

Normal Use Case

The most common use case for LNK files is for creating shortcuts to frequently used files or folders. For example, a user might create an LNK file for a Word document that they need to access frequently, or for a folder that contains important files. LNK files can also be used to create shortcuts to programs or scripts that a user wants to run quickly.

Another common use case for LNK files is for organizing files and folders. Users can create LNK files for related files or folders and place them all in one folder, allowing for easy access to all of the related content or even to use commonly used command lines.

Malicious Use Case

Unfortunately, LNK files can also be exploited by malicious actors. Malware authors have used LNK files to deliver their malicious payloads to unsuspecting victims.

One example of malware that uses LNK files is the infamous Stuxnet worm, which was discovered in 2010. Stuxnet was a highly sophisticated piece of malware that targeted industrial control systems (IDS), specifically those used in Iran's nuclear program. The worm was spread through infected USB drives, and it used LNK files to execute its malicious payload when the user clicked on the shortcut.

When a user clicked on an infected LNK file, it would execute a malicious payload that exploited a Windows zero-day vulnerability to install the worm on the victim's computer. Once installed, Stuxnet would search for specific industrial control systems and attempt to manipulate their processes. The worm was able to cause physical damage to Iran's nuclear program and is considered one of the most sophisticated cyberattacks in history.

Another example of malware that uses LNK files is the more recent common day malware called the Emotet Trojan. Emotet is a banking Trojan that has been active since 2014 and has evolved over the years to become one of the most dangerous pieces of malware in circulation. The Trojan is typically spread through phishing emails (as is most of the worlds Trojans), which contain an infected LNK file as an attachment.

When a user clicks on the infected LNK file, it executes a PowerShell command that downloads and installs the Emotet Trojan on the victim's computer. Once installed, Emotet is capable of stealing sensitive information, downloading additional malware, and spreading to other computers on the victim's network.

Example Walkthrough

 For this example, I decided to do something simple and normally create a shortcut on the desktop using the syntax:

    "powershell /c cmd /c ping 127.0.0.1"

This tiny script will run powershell to use the command, execute cmd.exe to use the argument ping 127.0.0.1. This is a total of 6 arguments.

Windows will appropriately clean up the path with full paths as you can see in the image below. In the photo, you can also see that the starting path was set to the default powershell directory and the icon was converted to the appropriate powershell icon.

To view the data, in a more forensics or reverse malware method, I will use:

  1. Strings by SysInternals; and

  2. Exiftools by Phil Harvey

Looking at the example, it's fairly clear that strings does provide you with results, but exiftool presents you the same data and more in a much cleaner method. I would suggest using this.

Exiftool by Phil Harvey is a powerful command-line tool that is commonly used for viewing, editing, and extracting metadata from various file types, including LNK files. When used on a LNK file, Exiftool can reveal a range of information about the file, including:

  1. Drive Serial Number: This provides you with the DRIVE SERIAL NUMBER from the host that created it. This is a useful IOC if you are looking to block something or match something. A drive serial number is a unique identifier assigned to a physical storage device, such as a hard disk drive (HDD) or solid-state drive (SSD). The serial number is used to uniquely identify the drive and distinguish it from other drives in a system or network.
  2. File size and format: Exiftool can display the size of the LNK file, as well as the format it is stored in. This can be useful for verifying that the file is in the expected format and identifying any abnormalities or anomalies.
  3. Target file path: LNK files contain a reference to the target file or folder they are associated with. Exiftool can extract this information, revealing the path to the target file or folder. This can be useful for determining the location of a file or folder, especially if the user is unfamiliar with the system or file structure.
  4. Creation and modification dates: Exiftool can display the creation and modification dates for the LNK file, which can provide insight into when the file was created or last modified. This can be useful for tracking changes to the file or determining when it was first introduced to the system.
  5. Icon path: LNK files often include an icon that is used to represent the file or folder they are associated with. Exiftool can extract the path to the icon file, which can provide additional information about the file and its purpose.
  6. Command line arguments: The key portion in here; LNK files can include command line arguments that are used to execute the target file or folder. Exiftool can extract these arguments, which can provide insight into how the target file or folder is executed and what parameters are used.
  7. User and system information: LNK files can contain information about the user who created the file, as well as system information such as the operating system version and computer name. Exiftool can extract this information, which can provide additional context about the file and its origin.


Overall, Exiftool can reveal a range of information about LNK files that can be useful for forensic investigations, system administration, and other purposes. However, it's important to note that this information can be manipulated or obscured by attackers, so it should not be relied on as the sole source of information for security or investigative purposes.

For something extra, I screenshot what may be useful with in Kibana via event logs, which can also show you the arguments / command lines used.

In this image you can see:

  1. Event ID
  2. PID
  3. Task Type
  4. Argument Count
  5. Command Line

Mitigating LNK file vulnerabilities

To protect against LNK file vulnerabilities, it's important for users to be cautious when opening any file or attachment, especially those that come from unknown or suspicious sources. Users should also keep their operating system and antivirus software up-to-date, as these can provide important security patches and protection against known threats.

Organizations can also take steps to mitigate the risks of LNK file vulnerabilities. These steps include:
  1. Educating employees: Organizations should educate their employees about the risks of LNK files and the importance of being cautious when opening any file or attachment. Employees should be trained on how to identify suspicious emails and attachments and what steps to take if they believe they have received a malicious file.
  2. Implementing email security measures: Organizations should implement email security measures to prevent malicious emails and attachments from reaching employees in the first place. This can include email filtering, which scans emails for known threats and blocks them before they reach the recipient's inbox. 
  3. Patching vulnerabilities: Organizations should regularly patch their systems to address known vulnerabilities, including those that can be exploited through LNK files. This can help prevent attackers from using known exploits to gain access to the organization's systems. 
  4. Limiting user permissions: Organizations can limit user permissions to prevent users from executing unauthorized code or installing unauthorized software. This can help prevent attackers from using LNK files to execute malicious code on the organization's systems. 
  5. Using endpoint detection and response (EDR) tools: EDR tools can help detect and respond to malicious activity on endpoints, including those that may be initiated through LNK files. These tools can help organizations quickly identify and respond to potential threats, reducing the impact of any successful attacks.

By implementing these measures, organizations can help reduce the risk of LNK file vulnerabilities and protect their systems and data from malicious attacks.

Summary

LNK files are a useful feature in Windows, allowing users to create shortcuts to frequently used files and folders. However, these files can also be exploited by cybercriminals to deliver malware and other malicious payloads to unsuspecting victims. Organizations and users should take steps to protect against LNK file vulnerabilities, including educating employees, implementing email security measures, patching vulnerabilities, limiting user permissions, and using endpoint detection and response tools. By doing so, they can reduce the risk of successful attacks and protect their systems and data from harm.
 

https://www.sans.org/posters/windows-forensic-analysis/

Additional Resources

  • EricZimmerman - LECmd - Parse lnk files

Post a Comment

Post a Comment