Malicious LNK Files

LNK files are special files on Windows that link to another resource. These are commonly used for shortcuts, toolbars, and recently used folders.

Malware often abuses LNK files to masquerade as legitimate files and maintaining persistence. A popular location for LNK files to be placed for persistence purposes is in Startup Folders.

LNK files binary format documentation can be found here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943

This PowerShell script will parse and display LNK files in human-readable format:

Function Get-LNKInfo {
    [cmdletbinding()]
    param ([string]$Path)

    $sh = New-Object -ComObject "WScript.Shell"
    if ($Path -eq "") { $Path = "." }
    $lnks = Get-ChildItem -Path $Path -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue -Force
    $lnks | ForEach-Object { $sh.Createshortcut($_.FullName) }
}

# Example:
# Get-LNKInfo C:\Users\ | Where-Object {$_.TargetPath -match "cmd"}
Get-LNKInfo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s