There's a good bit of file analysis that goes into CTI reports, including (but not limited to) malware analysis. But for some reason, not all files appear to be worthy of parsing and analysis. We also tend to see in-depth descriptions of the value of LNK files to forensic analysis, particularly when looking at user activity on an endpoint. However, while LNK files still tend to be a popular delivery mechanism for kicking off attacks, not a great deal of effort goes into analysis if these files, nor does effort go into recording metadata for use in detections or threat intel.
Sure, we see reports that include screen capture of command lines embedded in LNK files but what we don't see is LNK file metadata truly, fully exploited. The last time I can remember really seeing LNK file metadata incorporated into analysis was the Mandiant write-up on CozyBear from Nov 2018, where figures 5 & 6 illustrate differences been 2016 and 2018 campaigns by comparing LNK file metadata.
![]() |
| Figure 1: LNK metadata (Source: TheHackerNews) |
The point is that there is significant value in tracking LNK file metadata across campaigns, as doing so gives us a better view into threat actor tooling and situational awareness. For example, in the Mandiant comparison of the two CozyBear campaigns (2016, 2018), they used embedded timestamps to support a finding in their analysis. In Figure 1, we see in the comparison between the two LNK files that the timestamps were "zeroed out". By looking further into available metadata, we can make determinations around the threat actor tooling, as well as the process they use for developing the LNK files, and the lures, providing insight into their situational awareness.
But I get it; all of this requires rigor. First, analysts and organizations need to know that this information is available, and then they need to know how to extract it, aggregate it, and track it. Then, findings need to be supported by accumulated data, as part of a review process.

No comments:
Post a Comment