There’s a good bit of file analysis that goes into CTI reports, including (but not limited to) malware analysis. But for some reason, not all files appear to be worthy of parsing and analysis. We also tend to see in-depth descriptions of the value of LNK files to forensic analysis, particularly when looking at user activity on an endpoint. However, while LNK files still tend to be a popular delivery mechanism for kicking off attacks, not a great deal of effort goes into analysis if these files, nor does effort go into recording metadata for use in detections or threat intel.
Sure, we see reports that include screen capture of command lines embedded in LNK files but what we don’t see is LNK file metadata truly, fully exploited. The last time I can remember really seeing LNK file metadata incorporated into analysis was the Mandiant write-up on CozyBear from Nov 2018, where figures 5 & 6 illustrate differences been 2016 and 2018 campaigns by comparing LNK file metadata.
![]() |
| Figure 1: LNK metadata (Source: TheHackerNews) |
A recent article from TheHackerNews described an attack chain that started off with a ZIP archive containing an LNK file, pretending to be a Hangul Word Processing (HWP) document as a lure. The article does not provide figure or image numbers, but does contain the image seen in Figure 1, albeit not with a description within close proximity to the image (you have to read on a bit of the description). This image does provide something of a comparison between two observed LNK files, albeit without the full breadth of metadata. While the image does describe the timestamps as “all zero (wiped)”, there’s no apparent reference to a machine ID/NetBIOS name field, either as populated or “wiped”. Nor is there any mention of Extra Data blocks, and whether or not they exist, and are populated.
The point is that there is significant value in tracking LNK file metadata across campaigns, as doing so gives us a better view into threat actor tooling and situational awareness. For example, in the Mandiant comparison of the two CozyBear campaigns (2016, 2018), they used embedded timestamps to support a finding in their analysis. In Figure 1, we see in the comparison between the two LNK files that the timestamps were “zeroed out”. By looking further into available metadata, we can make determinations around the threat actor tooling, as well as the process they use for developing the LNK files, and the lures, providing insight into their situational awareness.
But I get it; all of this requires rigor. First, analysts and organizations need to know that this information is available, and then they need to know how to extract it, aggregate it, and track it. Then, findings need to be supported by accumulated data, as part of a review process.
Read the original article:
