LNK Files

I know what you're thinking..."LNK files? Again? Dude, you are like a dog with a bone!"

Yes. Yes, I am. But in this case, I'll keep it short. I've posted a lot...a LOT...about LNK files, and there's very likely more to come in the future.

Wietze recently shared a blog post on LNK files, in which he provides a summary of the LNK file structure, some of the issues associated with LNK files/why threat actors use them, and provides a tool called "lnk-it-up" for "generating and identifying deceptive LNK files". 

One commentator described Wietze's blog post as a "nice summary". It's much more than that, as it provides an overview of the structure, as well as ways in which the LNK file can be modified to "exploit" casual viewing of the file via the Properties of the file.

However, what the article does not go into is the metadata associated with the LNK file, and how that can be used for threat intelligence, as well as for detections, if you have tooling that can be used for this, such as Yara rules, etc.

I do like how Wietze provides tooling to check for the some of the various aspects of malicious LNK files, and I think that combined with other mechanisms and tooling, these would provide a more thorough approach to detection, as well as utilizing the findings for intelligence purposes.