Why .LNK attacks work

Windows shortcuts (.lnk) launch programs with arguments. Attackers abuse this by shipping a shortcut that looks like a document or a single file inside a ZIP/ISO. File Explorer hides extensions by default, so a name like Invoice.pdf.lnk appears as a PDF. One double-click executes the attacker’s command.

Shortcuts bypass macro blocks and work anywhere script interpreters are present. Defense requires layered controls: visibility of extensions, email filtering, constrained interpreters, and detections for suspicious parents like Explorer spawning script hosts.

Anatomy of a malicious shortcut

• Target: cmd.exe, powershell.exe, wscript.exe, mshta.exe, or rundll32.exe.
• Arguments: long/obfuscated strings, Base64, flags like -nop, -w hidden, -enc.
• Working directory: a temp path or Downloads.
• Icon: copies Word/PDF icon to look benign.

Common delivery tricks

• ZIP/7z with one “document” that is actually a shortcut.
• ISO/IMG that auto-mount; the visible file is a shortcut with a lure.
• Cloud shares (Drive/OneDrive) hosting compressed payloads.
• Dropper scripts that plant a shortcut on the Desktop/Public Desktop.

How to spot fake .LNK files

1. Enable extensions: View → File name extensions.
2. Add the Type column; look for “Shortcut”.
3. Right-click → Properties → read Target and Arguments.
4. Treat names ending with .pdf.lnk or .docx.lnk as suspicious.
5. Be wary of document icons inside newly mounted ISOs or fresh ZIP extractions.

Detections: Sigma, YARA, and queries

Sigma: suspicious interpreter from Explorer

title: Suspicious Shortcut Launching Script Interpreter
logsource: { category: process_creation, product: windows }
detection:
  sel1:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
  sel2:
    ParentImage|endswith: '\explorer.exe'
  condition: sel1 and sel2
level: high
tags: [attack.t1204.002, lnk-abuse]

YARA: shortcut metadata with risky targets

rule LNK_Suspicious_Target {
  meta: description = "Shortcut targets a script interpreter with arguments"
  strings:
    $cmd = /cmd\.exe/i
    $ps  = /powershell\.exe/i
    $wsc = /wscript\.exe|cscript\.exe/i
    $hta = /mshta\.exe/i
    $arg = /-nop|-w hidden|-enc|FromBase64String/i
  condition:
    1 of ($cmd,$ps,$wsc,$hta) and $arg
}

Microsoft Defender / Sentinel KQL

DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","mshta.exe","rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine

Hardening: Group Policy and Attack Surface Reduction

• Show extensions (GPO): User Config → Explorer → “Hide extensions for known file types” = Disabled.
• AppLocker/WDAC to block wscript.exe, cscript.exe, mshta.exe for standard users.
• Mail gateway quarantine for .lnk; disable auto-mount of ISO from email origins.
• ASR rules: block Office child processes; block obfuscated scripts; reduce credential theft.
• PowerShell: Constrained Language Mode; Script Block Logging; AMSI enabled.

Incident response playbook

1. Contain the endpoint (network isolate).
2. Collect recent .lnk, prefetch, PowerShell logs, Sysmon if present.
3. Hunt for same hash/filename across fleet; review mounted ISO history.
4. Eradicate persistence (startup items, tasks); remove dropped binaries; rotate creds if needed.
5. Recover and re-enforce policies; document IOCs.
6. Notify compliance if regulated data may be involved.

PowerShell: quick audit

List shortcuts in Downloads/Desktop and inspect targets:

Get-ChildItem -Path "$env:USERPROFILE\Downloads","$env:USERPROFILE\Desktop" -Filter *.lnk -Recurse |
  ForEach-Object {
    $sh = New-Object -ComObject WScript.Shell
    $sc = $sh.CreateShortcut($_.FullName)
    [PSCustomObject]@{
      Path = $_.FullName; Target = $sc.TargetPath; Args = $sc.Arguments; WorkDir = $sc.WorkingDirectory
    }
  } | Format-Table -Auto

User training: 30-second checklist

• Never open “documents” that end with .lnk.
• When in doubt: Properties → read Target.
• Be suspicious of single-file ZIPs with document icons.
• Report unexpected ISOs that mount automatically.

Recommended by CyberDudeBivash

Disclosure: Some links are affiliate links (Edureka, AliExpress, Alibaba, Kaspersky, Rewardful, HSBC, Tata Neu, Turbo VPN, YES English). We recommend what aligns with our security guidance.

Join the CyberDudeBivash ThreatWire Newsletter

Get timely threat intelligence, hardening checklists, and a free copy of the Defense Playbook Lite.

CyberDudeBivash Services and Further Reading

• Threat Analysis and Red Teaming for AI Agents
• CyberDudeBivash Apps
• Identity Governance After Login
• PAM Hardening Guide
• UEBA Detections for SaaS