← Back to Explore
sublimehighRule
Attachment: LNK with embedded content
Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched. Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
Detection Query
type.inbound
and (
any(attachments,
.file_extension == "lnk"
and any(file.explode(.),
.file_extension =~ "lnk"
and any(.scan.exiftool.fields,
(.key == "TargetFileSize" and .value == "0")
)
and any(.scan.exiftool.fields,
(
.key == "CommandLineArguments"
and strings.ilike(.value,
"*findstr*",
"*sc $path*",
"*Set-Content*"
)
)
)
)
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Malfam: Emotet
Raw Content
name: "Attachment: LNK with embedded content"
description: |
Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.
Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
references:
- "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
- "https://www.x86matthew.com/view_post?id=embed_exe_lnk"
type: "rule"
authors:
- twitter: "ajpc500"
severity: "high"
source: |
type.inbound
and (
any(attachments,
.file_extension == "lnk"
and any(file.explode(.),
.file_extension =~ "lnk"
and any(.scan.exiftool.fields,
(.key == "TargetFileSize" and .value == "0")
)
and any(.scan.exiftool.fields,
(
.key == "CommandLineArguments"
and strings.ilike(.value,
"*findstr*",
"*sc $path*",
"*Set-Content*"
)
)
)
)
)
)
tags:
- "Malfam: Emotet"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Exploit"
- "LNK"
- "Scripting"
detection_methods:
- "Content analysis"
- "Exif analysis"
- "File analysis"
id: "41452f7a-c77d-5259-a5fb-91b1b4419364"