LNK Files

LNK or Link files are essentially short cuts to applications, programs, <insert flavor here>, in a Windows OS. These can come from a user (e.g. a desktop shortcut) or the OS itself and can have different implications depending on its inception. Traditionally these files can be found at:

  • C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent
  • C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Office\Recent
  • C:\Users\%USERNAME%\Downloads
  • C:\Users\%USERNAME%\Recent
  • C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
  • Generically – StartUp locations

At a high-level, when a user double-clicks a file and executes it, that action essentially adds that file to the “Recent” folder. The metadata contained within is typically about the parent host and file, and not the “victim” or “child” (e.g. I create a LNK <app.shortcut> and then move that to another system the metadata will pertain to my host and the original file).

Information that the artifact tracks:

  • Directory – Original File
  • MACB – Artifact, and Original File. Caveats – “the time of file creation corresponds either to the time the file was created by a user or to the time of the first file access event associated with a shortcut. As for the time modification time, it normally corresponds to the last file access event associated with a shortcut.
  • File Size – Original File
  • Drive Type – Artifact
  • Volume SN – Artifact
  • Volume Label – Artifact
  • NetBIOS Name – Original
  • MAC Address – Original

Something I’ve never seen, but keep seeing mentioned, is leveraging these for persistence and I suppose by proxy lateral movement. I.e. an adversary adds a LNK to the startup folder that has an association to <xyz> payload. When user starts the endpoint, <xyz> executes (probably worth at least labbing with an EDR to see what detections are baked in). Another subset to at least mention is that it seems like we can also use these to identify if the file origin source was local to the device, or some remote endpoint.

To anyone that isn’t me that is reading this and has questions, comments, or concerns please reach out to me on twitter. I am by no means publishing any of this with the intent of it being a beacon of truth, but I need somewhere I can always access this information so this will have to do. As I get more information I will update each entry, so for anyone reading this and shaking their fist at me please let me know if you have anymore information that I can add to this entry. Have a great day!

References: