Suspicious LNK Double Extension File Created

Hunt Hypothesis

Adversaries may use LNK files with double extensions to execute malicious payloads stealthily, leveraging Windows’ ability to parse such files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics early.

Detection Rule

Sigma (Original)

title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
      type: derived
status: test
description: |
    Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-11-07
modified: 2023-10-18
tags:
    - attack.defense-evasion
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.lnk'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpg.'
            - '.pdf.'
            - '.ppt.'
            - '.pptx.'
            - '.xls.'
            - '.xlsx.'
    filter_main_recent:
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_optional_office_recent:
        Image|endswith:
            # Note: Some additional office application might need to be added
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
    filter_optional_office_excel:
        Image|endswith: '\excel.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
    filter_optional_office_powerpoint:
        Image|endswith: '\powerpnt.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
    filter_optional_office_word:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some tuning is required for other general purpose directories of third party apps
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName endswith ".lnk" and (TargetFileName contains ".doc." or TargetFileName contains ".docx." or TargetFileName contains ".jpg." or TargetFileName contains ".pdf." or TargetFileName contains ".ppt." or TargetFileName contains ".pptx." or TargetFileName contains ".xls." or TargetFileName contains ".xlsx.")) and (not(TargetFileName contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not((((TargetFilePath endswith "\\excel.exe" or TargetFilePath endswith "\\powerpnt.exe" or TargetFilePath endswith "\\winword.exe") and TargetFileName contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (TargetFilePath endswith "\\excel.exe" and TargetFileName contains "\\AppData\\Roaming\\Microsoft\\Excel") or (TargetFilePath endswith "\\powerpnt.exe" and TargetFileName contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or (TargetFilePath endswith "\\winword.exe" and TargetFileName contains "\\AppData\\Roaming\\Microsoft\\Word"))))

False Positive Guidance

• Scenario: A system administrator creates a .lnk file with a double extension to test a script or configuration that expects such a format.
  Filter/Exclusion: Exclude files created by users with the Administrators group or by processes with sid= S-1-5-32-544 (built-in Administrators).

• Scenario: A scheduled job (e.g., Task Scheduler) generates a .lnk file with a double extension as part of a deployment or automation process.
  Filter/Exclusion: Exclude files created by processes with ImageFileName = taskhost.exe or CommandLine containing schtasks.exe.

• Scenario: A legitimate tool like PowerShell or cmd.exe is used to create a .lnk file with a double extension for testing or documentation purposes.
  Filter/Exclusion: Exclude files created by processes with ImageFileName = powershell.exe or cmd.exe and with a CreationTime within a known testing window.

• Scenario: A user manually creates a .lnk file with a double extension to simulate a file type for training or demonstration.
  Filter/Exclusion: Exclude files created by users with a known training or development role (e.g., UserAccountName = training_user) or with a CreationTime matching a known training session.

• Scenario: A backup or sync tool (e.g., rsync, RoboCopy, or SyncToy) generates a .lnk file with a double extension as part of its operation.
  Filter/Exclusion: Exclude files created by processes with ImageFileName = robocopy.exe, rsync.exe, or SyncToy.exe.

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1036.007