Stuxnet Sample - file Copy of Shortcut to.lnk

Hunt Hypothesis

The detection identifies potential adversary behavior involving the creation of a shortcut (.lnk) file as a method to execute malicious payloads, often used in advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware activity and prevent lateral movement or data exfiltration.

YARA Rule

rule Stuxnet_Shortcut_to 
{

    meta:
        description = "Stuxnet Sample - file Copy of Shortcut to.lnk"
        author = "Florian Roth"
        reference = "Internal Research"
        date = "2016-07-09"
        hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2"

    strings:
        $x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide

    condition:
        uint16(0) == 0x004c and filesize < 10KB and $x1
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Internal Research
• Source Rule

False Positive Guidance

• Scenario: User creates a shortcut to a legitimate application
  Description: A user manually creates a .lnk shortcut to a valid application (e.g., notepad.exe) on their desktop.
  Filter/Exclusion: Exclude files where the target path is a known valid application path (e.g., C:\Windows\System32\notepad.exe).
  Example Filter: file.target != "C:\Windows\System32\notepad.exe"

• Scenario: Scheduled Task creates a shortcut for automation
  Description: A scheduled task or automation tool (e.g., PowerShell, Task Scheduler) generates a .lnk shortcut to a script or executable as part of a legitimate process.
  Filter/Exclusion: Exclude files created by known automation tools or scheduled tasks (e.g., powershell.exe, schtasks.exe).
  Example Filter: process.name in ("powershell.exe", "schtasks.exe")

• Scenario: Admin deploys a shortcut for a remote desktop connection
  Description: An administrator creates a .lnk shortcut to a remote desktop connection (e.g., mstsc.exe) for user convenience.
  Filter/Exclusion: Exclude files where the target is a remote desktop executable or a valid RDP connection.
  Example Filter: file.target contains "mstsc.exe"

• Scenario: Software Installation creates a shortcut during setup
  Description: A legitimate software installation package (e.g., Adobe, Microsoft Office) creates a .lnk shortcut during installation.
  Filter/Exclusion: Exclude files created by known software installers (e.g., setup.exe, msiexec.exe).
  Example Filter: process.name in ("setup.exe", "msiexec.exe")

• **Scenario: File synchronization tool creates a shortcut