LNK
TL;DR
LNK Files are Windows Shortcut Files that serve as a pointer to an application or file commonly found on a user’s desktop, or throughout a system and end with a .lnk extension. These files can be created by the user, or automatically by the Windows operating system. LNK Files are extensively used as a medium to deploy malware and/or establish persistence.
Fig 1: Simply edit the "Main" at the the bottom of the script and uncomment LNK and LNK_Hunt to enable feature
Function LNK
Step 1 - Scanning forensic/ntfs directory for LNK Files w/ YARA
Step 2 - Parsing LNK File Structure w/ lnk_parser
[Info] Scanning for Windows Shortcut Files (LNK) w/ YARA [time-consuming task] ...
[Info] YARA scan duration: 00 h 10 min 39 sec
[Info] 92 SHLLINK artifacts found
[Info] Parsing SHLLINK artifacts (LNK) w/ lnk_parser ...
Function LNK_Hunt
Step 3 - Hunting for Malicious LNK Files
Fig 2: YARA rule
| File | Description |
|---|---|
| .\LNK\LNK-Files.txt | List of LNK-Files found in Physical Memory |
| .\LNK\lnk_parser\CSV\lnk_parser.csv | Default CSV Output |
| .\LNK\lnk_parser\CSV\lnk_parser-hunt.csv | Custom CSV (for Hunting Malicious LNK Files) |
| .\LNK\lnk_parser\XLSX\lnk_parser.xlsx | Default XLSX Output |
| .\LNK\lnk_parser\XLSX\lnk_parser-hunt.xlsx | Custom XLSX (for Hunting Malicious LNK Files) |
| .\LNK\Hunt\CSV | Detections as CSV Output |
| .\LNK\Hunt\XLSX | Detections as XLSX Output |
# Links
https://github.com/ufrisk/MemProcFS/wiki/FS_Forensic_Ntfs
https://github.com/AbdulRhmanAlfaifi/lnk_parser
https://u0041.co/blog/post/4
https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts/
Last updated: 2022-09-06