1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. LNK Icon Smuggling

Obfuscated Files or Information: LNK Icon Smuggling

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.[1][2]

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

ID: T1027.012
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Windows
Contributors: Andrew Northern, @ex_raritas; Gregory Lesnewich, @greglesnewich; Michael Raggi @aRtAGGI
Version: 1.0
Created: 29 September 2023
Last Modified: 17 October 2023
Version Permalink

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for downloaded malicious files, though developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by LNK Icon Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.
File Metadata

Monitor contextual data about a file that may highlight embedded malicious content, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.

References

  1. Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.
  1. Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.