search
LinkedinTryHackme

LNK Files

hashtag
1. What Are LNK Files & Why They Matter

  • Definition: LNK (or “Shell Link”) files are Windows shortcut files that store metadata pointing to a target file, folder, or application.

  • Forensic Relevance:

    • They can reveal user activity: which files/folders a user accessed, when, and from where.

    • Even if the real target file is deleted, an LNK may remain and give a clue about what was there.

    • Adversaries can abuse LNK files for obfuscation / persistence, e.g. “LNK Icon Smuggling” to hide malicious payloads.

hashtag
2. Key Metadata Inside LNK Files

Some of the important data you can extract from an LNK:

  • Header Information: timestamps (creation, access, modification) of the LNK file itself.

  • Target Details:

    • Original (or current) path of the target file/folder.

    • Command-line arguments passed to the target (if any).

    • Working directory.

  • Volume Information:

    • Volume serial number of the disk where the target lives.

    • Drive type (local, network, removable).

  • Shell Item / ID List: LNKs include a “Target ID List” block linking to shell item IDs, which may include MFT information, GUIDs, and other path components.

  • Extra Data Blocks: LNK files may contain extra data (metadata) like:

    • Console properties (window size, hotkey)

    • Property-store data blocks (custom metadata)

    • Distributed Link Tracker information (“droid” identifiers) which helps determine if the target was moved or copied.

hashtag
3. Common Locations of LNK Files

LNK files appear in multiple user-relevant paths:

  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ — recent documents.

  • Desktop shortcuts.

  • Startup folder (for persistence).

  • Jump lists (which are related but stored separately).

hashtag
4. Attack / Threat Scenarios Involving LNK

  • Execution Evidence: Because LNKs are created when a user opens a file (or application), they can be used to prove that something was launched.

  • Obfuscation / Defense Evasion: Attackers may embed malicious commands or use the IconEnvironmentDataBlock inside LNKs to hide links to malware or downloads. This technique is tracked in MITRE ATT&CK as Icon Smuggling.

  • Persistence: A malicious LNK can be placed in a startup folder so that it executes every boot.

hashtag
5. Tools & Techniques for Parsing LNK

  • LECmd (Eric Zimmerman)

    • Powerful command-line tool that extracts all metadata from LNK files.

    • Can output in CSV, JSON, or other formats for analysis.

  • LnkParse3 (Python)

    • Minimalistic but very capable parser.

    • Good at extracting even malformed LNKs; outputs JSON.

  • TZWorks LNK Parser (lp)

    • Command-line parser for .lnk and Jump List files.

  • Velociraptor

    • Has an artifact Windows.Forensics.Lnk to automatically find and parse LNKs during endpoint collection.

  • Belkasoft X / Evidence Center

    • GUI for analyzing LNK metadata: path, volume serial, timestamps, “droid” identifiers.

hashtag
6. Forensic Investigation Workflow

Here’s a step-by-step guide to investigating LNK files:

  1. Collection

    • Extract LNK files from common user paths (Recent, Desktop, Startup, etc.).

    • Use forensic image tools (FTK, EnCase, etc.) to list all .lnk files on the volume.

  2. Parsing

    • Run LECmd or LnkParse3 on the LNK files to extract metadata.

    • Use Velociraptor if you want to do this at scale on endpoints.

  3. Analysis / Interpretation

    • Review target paths: see where each LNK points — local file, network share, USB, etc.

    • Compare LNK file timestamps (creation, access, modification) with target file timestamps to infer usage.

    • Examine “extra data” blocks: check distributed tracker info (if present) to see if the target was moved.

    • Look for suspicious or malicious LNKs: long or obfuscated IconEnvironmentDataBlock, unusual command line arguments.

  4. Correlation

    • Link LNK metadata with other artifacts: Prefetch, Jump Lists, Registry (MRU), event logs.

    • Build a timeline: when shortcuts were created vs when the target was last modified.

  5. Reporting

    • Document each LNK: location, metadata, target, suspicious fields.

    • Highlight any LNK used for persistence, obfuscation, or pivoting.

hashtag
7. Challenges & Caveats

  • Not all LNK files are evidence of malicious activity — many are simply user-created shortcuts.

  • Some LNKs may point to paths that no longer exist (deleted target).

  • LNK metadata can be manipulated, though not all fields are trivial to tamper with (e.g., distributed-tracker blocks).

  • Parsing malformed or corrupted LNK files may require robust tools (like LnkParse3).

PreviousLNK Files and Jump ListsNextJump Lists

Last updated