A collection of cybersecurity content.

Hunting Shortcut Files: Mapping “.LNKs” to a Target File

Intro

Shortcuts, also known as symbolic links, are simple files that provide convenient access to frequently used programs. These files are popular among users for their ease of use and accessibility. However, adversaries are also drawn to shortcuts as they provide a covert method for executing malicious programs. By disguising commands and harmful software within the shortcut file and giving the file an innocuous name and appearance, adversaries can evade detection and carry out malicious activities undetected.

Proof of Concept

Let’s create a shortcut file to show how effective this could be. Right click inside file explorer or on your Desktop, select New > Shortcut.

In the section labeled ‘Type the location of the item:’, this part allows you to insert commands or programs. For this scenario, I’m going to call PowerShell to print ‘Pwned’ to the terminal by inserting the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "echo Pwned"; Read-Host -Prompt 'Press enter to exit...'"

There is a hard-coded limit of 250 characters that can be utilized in this specific field. Despite the fact that Windows provides a means to expand the maximum character limit for a file path (MAX_PATH, defined as 260 characters by default), the command parameters and file paths are distinct entities, thus modifying the long path registry key will not affect the 250-character limitation set here in any way.

Upon clicking ‘Next’, a name can be assigned to this shortcut file.

Click ‘Finish’ to create the shortcut.

Notice how the icon of the shortcut file is showing PowerShell because of the target reference (image above). Let’s change this to something a little less alarming like Notepad by right clicking the shortcut file, clicking ‘Properties’, and then selecting ‘Change Icon’ under the ‘Shortcut’ properties tab.

Now the icon appears to mimic the Notepad program as seen below.

Double clicking on the shortcut file causes the commands to execute. Keep in mind that while this example is harmless, anything could have been referenced in the shortcut file (even some crafty reverse shell 1-liners).

Hunting Suspicious Shortcuts

Using PowerShell, one can take the target file of a shortcut by reading the object of reference (which was originally created in C:\temp).

Let’s take this a step further and hunt down every shortcut file in the system. We’ll gather information about the target files too, if they still exist.

Script
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# Set the base path to search for .lnk files
$basePath = "C:\"

# Set the path of the CSV file to create (directory will automatically be created further down in the code if there are results for the $csvFile)
$csvFile = "C:\temp\TA0005_Defense_Evasion\T1547_009_Shortcut_Modification.csv"

# Create an empty array to store the objects for the CSV file
$objects = @()

# Search for .lnk files under the base path
$lnkFiles = Get-ChildItem -Path $basePath -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue

# Loop through each .lnk file
foreach ($lnkFile in $lnkFiles) {
  # Create a shortcut object for the .lnk file
  $shortcut = (New-Object -ComObject WScript.Shell -ErrorAction SilentlyContinue).CreateShortcut($lnkFile.FullName)

  # Check if the .lnk file contains a relative path
  if ($shortcut.Target -eq $null) {
    # Convert the relative path to an absolute path
    $target = Resolve-Path $shortcut.TargetPath -ErrorAction SilentlyContinue
  } else {
    # The .lnk file contains an absolute path
    $target = $shortcut.Target
  }

  # Retrieve the file system object for the .lnk file
  $lnkFileInfo = Get-Item $lnkFile -ErrorAction SilentlyContinue
  # Retrieve the file system object for the target file
  $targetFileInfo = Get-Item $target -ErrorAction SilentlyContinue

  # Calculate the file size of the target file in a more readable format
  $fileSize = ""
  if ($targetFileInfo.Length -gt 1GB) {
  # file size is greater than 1 GB, so convert to GB
  $fileSize = "{0:N2}" -f ($targetFileInfo.Length / 1GB) + " GB"
  } elseif ($targetFileInfo.Length -gt 1MB) {
  # file size is greater than 1 MB, but less than 1 GB, so convert to MB
  $fileSize = "{0:N2}" -f ($targetFileInfo.Length / 1MB) + " MB"
  } elseif ($targetFileInfo.Length -gt 1KB) {
  # file size is greater than 1 KB, so convert to KB
  $fileSize = "{0:N2}" -f ($targetFileInfo.Length / 1KB) + " KB"
  } else {
  # file size is less than 1 KB, so show in bytes
  $fileSize = "{0:N2}" -f ($targetFileInfo.Length) + " Bytes"
  }

  # Calculate the hash of the target file using SHA256 algorithm
  $fileHash = (Get-FileHash -Path $target -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash

  # Create an object for the current .lnk file
  $object = New-Object PSObject -Property @{
    "Shortcut" = $lnkFile.FullName
    "TargetFile" = $target
    "TargetSize" = $fileSize
    "TargetSHA256" = $fileHash
    "TargetLastWriteTime" = $targetFileInfo.LastWriteTime
    "TargetCreationTime" = $targetFileInfo.CreationTime
    "TargetLastAccessTime" = $targetFileInfo.LastAccessTime
    }

  # Add the object to the array
  $objects += $object
}

# Continue only if the $objects array is not empty
if ($objects.Length -gt 0) {

    # Check if the 'Defense Evasion' folder exists
    if (!(Test-Path -Path 'C:\temp\TA0005_Defense_Evasion')) {
    
        # Create the 'Defense Evasion' folder if it does not exist
        New-Item -ItemType Directory -Path 'C:\temp\TA0005_Defense_Evasion'
    }
    # Write the array to a CSV file
    $objects | Export-Csv -Path $csvFile -NoTypeInformation
}
Conclusion

Incident response teams need to have a comprehensive understanding of LNK files and their potential use by threat actors in order to maintain the security of their systems. The ability to analyze LNK files effectively is key in adopting a proactive approach to security. For example, the analysis of a LNK file’s target file hash can be used to trigger alerts for known malicious programs or suspicious shells. Through utilizing techniques such as scripting and monitoring for suspicious activity, EDR telemetry, or SIEM logs, incident response teams can stay ahead of potential security threats before they get out of hand.