[T1027.012 ] Obfuscated Files or Information: LNK Icon Smuggling – LNK Icon Smuggling hides download commands inside Windows shortcut (.LNK) metadata, allowing adversaries to bypass filters and fetch malicious payloads when the shortcut is opened or executed. This technique is used in phishing and post-compromise stages to stage additional malware without obvious executable files. #LNKIconSmuggling #DefenseEvasion
Keypoints
- LNK files contain metadata fields like IconEnvironmentDataBlock that can store an external path or URL.
- Adversaries embed URLs in the icon location to trigger downloads when Windows resolves the icon.
- Downloaded payloads can be executed via command-line or by abusing system binaries.
- Used in phishing and post-compromise workflows to evade content filters and static detection.
- Detection relies on monitoring LNK creation, icon fields, and process invocations that resolve external resources.
Description:
- Like hiding a note inside the decorative picture of an envelope, attackers tuck malicious download commands into the icon field of a seemingly harmless Windows shortcut so viewers never suspect the threat.
- LNK Icon Smuggling abuses the icon location metadata in .LNK files to reference external URLs or commands. When the OS or a script resolves the icon or the shortcut is executed, the referenced resource can be fetched and later invoked via command interpreters or system binaries, letting attackers deliver and run payloads while avoiding direct executable attachments.
Detection:
- Monitor file-creation events for new or modified .LNK files in user directories and mail-download locations using EDR/File Integrity Monitoring.
- Inspect LNK metadata (IconEnvironmentDataBlock and target path) for external URLs, UNC paths, or suspicious embedded command-line arguments.
- Log and alert on processes that access network resources during icon resolution, such as explorer.exe or wscript invoking remote resources.
- Correlate process creation events where system binaries (e.g., cmd.exe, powershell.exe, rundll32.exe) are launched from LNK targets or with arguments coming from shortcut files.
- Use file-scanning or sandboxing for LNK attachments extracted from email and archives to detect hidden fetch-and-execute behavior before delivery.
- Watch web proxy and DNS logs for early-stage network indicators from hosts that recently created or opened suspicious LNK files; flag one-off or uncommon domain requests.
- Challenge: many legitimate shortcuts reference network icons. Reduce false positives by whitelisting known internal icon servers and applying heuristics: external URL in icon field + recent LNK creation + follow-on payload execution = high priority.
Tactics:
Defense Evasion
Platforms:
Windows
Data Sources:
File: File Creation, File: File Metadata
Relationship Citations:
,