5 min read

LNK Phishing: Analysis and Simulation

Deep dive into malicious LNK (shortcut) files used in phishing campaigns - how they work, real-world examples, and detection strategies.

lnk phishing malware initial-access detection splunk

Originally published on the Splunk Security Blog
Read the full article: LNK Phishing Analysis & Simulation

Why LNK Files?

LNK (shortcut) files are the perfect phishing payload:

  • Familiar - Users see shortcuts daily
  • Trusted - Not blocked by email filters like .exe
  • Flexible - Can execute any command
  • Deceptive - Custom icons hide true nature

Anatomy of a Malicious LNK

[Shell Link Header]
├── Icon: legitimate_app.ico
├── Target: C:\Windows\System32\cmd.exe
├── Arguments: /c powershell -w hidden -e [base64]
└── Working Directory: %TEMP%

The user sees a Word document icon. They double-click. PowerShell runs.

Real-World Attack Flow

  1. Email arrives - “Invoice attached”
  2. ZIP contains LNK - Disguised as document
  3. User opens LNK - Thinks it’s a document
  4. Command executes - Downloads and runs payload
  5. Malware installed - Initial access achieved

Detection Strategies

LNK Spawning Suspicious Processes

index=sysmon EventCode=1 
  ParentCommandLine="*.lnk*"
  Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\mshta.exe")
| table _time, Computer, User, CommandLine

LNK Files in User Directories

index=sysmon EventCode=11 
  TargetFilename="*\\Downloads\\*.lnk" OR TargetFilename="*\\Temp\\*.lnk"
| table _time, Computer, User, TargetFilename

Unusual LNK Target Paths

index=sysmon EventCode=1 
  ParentImage="*\\explorer.exe"
  CommandLine="*\\cmd.exe*" OR CommandLine="*\\powershell.exe*"
| rex field=CommandLine "/c\s+(?<payload>.*)"
| table _time, Computer, payload

Building Test LNKs

For detection testing, you can create LNKs programmatically:

$shell = New-Object -ComObject WScript.Shell
$lnk = $shell.CreateShortcut("$env:TEMP\test.lnk")
$lnk.TargetPath = "cmd.exe"
$lnk.Arguments = "/c calc.exe"
$lnk.IconLocation = "shell32.dll,1"
$lnk.Save()

Read the full analysis: LNK Phishing Analysis & Simulation

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub