Skip to main content

Detect Suspicious LNK Files

· 2 min read
Contextal Team
Contextal Team
Contextal Platform Creators

The Windows shortcut (LNK) files are frequently used for malicious purposes by threat actors. In this article we are going to cover an example scenario, which takes a couple of characteristics into account to block potentially malicious shortcut files.

The LNK files can be abused in many different ways. In this example, we will use two separate triggers to issue the block action:

  • PowerShell is called with http(s):// in its script/arguments, which could indicate a Downloader
  • the command line arguments specified in the LNK file are very long (> 400 characters), which is quite common with more complex obfuscated payloads

To handle the first case, we use the following ContexQL query, checking the values of metadata keys storing path and command line arguments - we check for two ways of calling PowerShell, and also use iregex() for case-insensitive matching:

object_type == "LNK"
  && (@match_object_meta($string_data.relative_path iregex("powershell.exe"))
      || @match_object_meta($string_data.command_line_arguments iregex("/c powershell")))
  && @match_object_meta($string_data.command_line_arguments iregex("(http://|https://)"))

To detect the second case we use the following query - see regex() for details on the specific construct we use for the length check:

object_type == "LNK"
  && @match_object_meta($string_data.command_line_arguments regex("^.{200}.{200,}"))

Finally, we combine them into a single query:

object_type == "LNK"
  && ((@match_object_meta($string_data.relative_path iregex("powershell.exe"))
       || @match_object_meta($string_data.command_line_arguments iregex("/c powershell")))
       && @match_object_meta($string_data.command_line_arguments iregex("(http://|https://)"))
     || @match_object_meta($string_data.command_line_arguments regex("^.{200}.{200,}")))
info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Suspicious-LNK.json
{
  "name": "Suspicious LNK",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Block potentially suspicious LNK files.",
  "local_query": "object_type == \"LNK\"\n  && ((@match_object_meta($string_data.relative_path iregex(\"powershell.exe\"))\n       || @match_object_meta($string_data.command_line_arguments iregex(\"/c powershell\")))\n       && @match_object_meta($string_data.command_line_arguments iregex(\"(http://|https://)\"))\n     || @match_object_meta($string_data.command_line_arguments regex(\"^.{200}.{200,}\")))",
  "context": null,
  "action": "BLOCK"
}