← Back to Explore
sublimehighRule
Attachment: LNK file
Recursively scans files and archives to detect LNK connection files. LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.
Detection Query
type.inbound
and any(attachments,
.file_extension =~ "lnk"
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "lnk")
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: LNK file"
description: |
Recursively scans files and archives to detect LNK connection files.
LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.
references:
- "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
- "https://delivr.to/payloads?id=a9f91563-a31f-49f4-9e6c-c6a9fe8095c4"
- "https://delivr.to/payloads?id=db034beb-1909-421f-85d0-98fdc37da5f3"
type: "rule"
authors:
- twitter: "ajpc500"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension =~ "lnk"
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "lnk")
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "LNK"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "44532abe-f65f-54e6-afe2-d4589e4253ae"