Malicious LNK Files

LNK files are special files on Windows that link to another resource. These are commonly used for shortcuts, toolbars, and recently used folders.

Malware often abuses LNK files to masquerade as legitimate files and maintaining persistence. A popular location for LNK files to be placed for persistence purposes is in Startup Folders.

LNK files binary format documentation can be found here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943

This PowerShell script will parse and display LNK files in human-readable format:

Function Get-LNKInfo {
    [cmdletbinding()]
    param ([string]$Path)

    $sh = New-Object -ComObject "WScript.Shell"
    if ($Path -eq "") { $Path = "." }
    $lnks = Get-ChildItem -Path $Path -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue -Force
    $lnks | ForEach-Object { $sh.Createshortcut($_.FullName) }
}

# Example:
# Get-LNKInfo C:\Users\ | Where-Object {$_.TargetPath -match "cmd"}
Get-LNKInfo

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Leave a Reply Cancel reply