Malicious LNK Files

LNK files are special files on Windows that link to another resource. These are commonly used for shortcuts, toolbars, and recently used folders.

Malware often abuses LNK files to masquerade as legitimate files and maintaining persistence. A popular location for LNK files to be placed for persistence purposes is in Startup Folders.

LNK files binary format documentation can be found here:

This PowerShell script will parse and display LNK files in human-readable format:

Function Get-LNKInfo {
    param ([string]$Path)

    $sh = New-Object -ComObject "WScript.Shell"
    if ($Path -eq "") { $Path = "." }
    $lnks = Get-ChildItem -Path $Path -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue -Force
    $lnks | ForEach-Object { $sh.Createshortcut($_.FullName) }

# Example:
# Get-LNKInfo C:\Users\ | Where-Object {$_.TargetPath -match "cmd"}

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s