Persistence via LNK (Shortcut) File Abuse (T1547.009)

Windows LNK files (shortcuts) are small files pointing to executables, scripts, or directories. Attackers abuse LNK files to execute malicious payloads silently, either when a user interacts with the shortcut or automatically via startup locations

LNK Files (Shortcut Files)

What is an LNK File?

An LNK file (Windows shortcut) is a small file that points to another file, folder, or program. These are commonly used to create desktop shortcuts, allowing users to quickly open applications without navigating to the actual file location. However, attackers can manipulate LNK files to execute malicious commands silently.

🛠 Key Fields in LNK Files:

Target Path – The primary file or program the shortcut runs.
Arguments – Commands or scripts executed alongside the target.
Icon Path – Can mimic legitimate files or folders to disguise malicious LNKs. (e.g., a fake PDF or folder icon).

How Attackers Use It

Dropping Malicious LNK Files in Startup Locations
- LNK files placed in C:\\Users\\<User>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ execute automatically at login.
- Example: A shortcut named Update.lnk that secretly runs:
```
powershell.exe -ExecutionPolicy Bypass -File C:\\malware.ps1
```

Modifying Legitimate Shortcuts

Append malicious commands to existing LNKs (e.g., Chrome, Word).

Example:

Original Target: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
Modified Target: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe && powershell.exe -exec bypass -file C:\\payload.ps1"

Embedding LNK Files in USB Drives or Network Shares
- LNK files on removable media can be configured to execute malware when accessed.
- Example: LNK pointing to C:\\USBDrive\\hidden\\malware.vbs.
Phishing or Drive-By Execution
- Delivered via email or downloads.
- Often combined with LOLBins like mshta.exe or rundll32.exe.

Examples of LNK File Abuse

Example 1: Simple Malicious LNK