malicious LNK files

Hunt Hypothesis

Malicious LNK files may be used by adversaries to execute payloads through shortcut redirection, bypassing standard file execution detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics that evade traditional detection methods.

YARA Rule

rule malicious_LNK_files
{
meta:
	author = "@patrickrolsen"
strings:
	$magic = {4C 00 00 00 01 14 02 00} // L.......
	$s1 = "\\RECYCLER\\" wide
	$s2 = "%temp%" wide
	$s3 = "%systemroot%\\system32\\cmd.exe" wide
	//$s4 = "./start" wide
	$s5 = "svchost.exe" wide
	$s6 = "lsass.exe" wide
	$s7 = "csrss.exe" wide
	$s8 = "winlogon.exe" wide
	//$s9 = "%cd%" wide
	$s10 = "%appdata%" wide
	$s11 = "%programdata%" wide
	$s12 = "%localappdata%" wide
	$s13 = ".cpl" wide
condition:
	($magic at 0) and any of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate a legitimate .lnk shortcut for a scheduled task.
  Filter/Exclusion: Exclude files created by PowerShell scripts that match known administrative tools or tasks (e.g., powershell.exe with -Command to create shortcuts).

• Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment creates .lnk shortcuts for software installation.
  Filter/Exclusion: Exclude files located in standard deployment directories like C:\Windows\Temp or C:\ProgramData\Microsoft\Windows\Temporary Internet Files.

• Scenario: A backup tool (e.g., Veeam, Acronis, or Veritas) generates .lnk shortcuts as part of its job configuration.
  Filter/Exclusion: Exclude files with known backup tool signatures or located in backup directories (e.g., C:\Backup, C:\Users\Public\Backup).

• Scenario: A scheduled task (via Task Scheduler) is configured to launch a .lnk shortcut as part of an automated process (e.g., system cleanup or log rotation).
  Filter/Exclusion: Exclude files associated with scheduled tasks, such as those in C:\Windows\Tasks or with .job or .xml task configuration files.

• Scenario: A remote desktop session (e.g., via RDP) creates a .lnk shortcut on the remote machine to launch a local application.
  Filter/Exclusion: Exclude files created by remote session tools or located in user-specific directories like C:\Users\<username>\AppData\Roaming.