T1027.012 LNK Icon Smuggling Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1027.012 - LNK Icon Smuggling
// Detect suspicious LNK file creation and network connections triggered by LNK icon field
let SuspiciousLnkCreators = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk"
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
| project DeviceId, DeviceName, LnkCreationTime=Timestamp, LnkFileName=FileName, LnkFolderPath=FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName;
let LnkInducedNetwork = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "explorer.exe"
| where RemoteUrl has_any ("http://", "https://", ".ps1", ".exe", ".dll", ".bat", ".vbs")
| where RemotePort in (80, 443, 8080, 8443)
| project DeviceId, DeviceName, NetworkTime=Timestamp, RemoteUrl, RemoteIP, RemotePort;
SuspiciousLnkCreators
| join kind=leftouter (
    LnkInducedNetwork
) on DeviceId
| union (
    // LNK files spawning processes with heavily padded command lines (Kimsuky pattern)
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "explorer.exe"
    | where ProcessCommandLine matches regex @"\s{20,}"
    | where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
    | extend Detection = "LNK_padded_commandline"
)
| union (
    // LNK executing office.exe or renamed binaries from temp/appdata (Mustang Panda/TONESHELL)
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "explorer.exe"
    | where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\")
    | where FileName =~ "office.exe" or (FileName endswith ".exe" and FolderPath !has "Program Files")
    | extend Detection = "LNK_suspicious_binary_execution"
)
| extend Detection = coalesce(Detection, "LNK_payload_creation")
| project-reorder Timestamp, DeviceName, Detection, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine

severity confidence

Splunk

spl

index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN (1, 11, 22)
| eval detection_type=case(
    EventCode="11" AND TargetFilename LIKE "%.lnk" AND Image IN ("*\\powershell.exe", "*\\cmd.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\rundll32.exe"), "LNK_creation_by_scripting_engine",
    EventCode="1" AND Image LIKE "*\\explorer.exe" AND match(CommandLine, "\s{15,}"), "LNK_padded_commandline_execution",
    EventCode="1" AND Image LIKE "*\\explorer.exe" AND (CommandLine LIKE "%office.exe%" OR (CommandLine LIKE "%\\Temp\\%" AND CommandLine LIKE "%.exe%")), "LNK_suspicious_binary_from_temp",
    EventCode="22" AND Image LIKE "*\\explorer.exe" AND (QueryName LIKE "%.ps1" OR QueryName LIKE "%.exe" OR QueryName LIKE "%.dll" OR QueryName NOT LIKE "%.microsoft.com"), "LNK_icon_field_dns_lookup",
    true(), null()
)
| search detection_type=*
| eval risk_score=case(
    detection_type="LNK_padded_commandline_execution", 85,
    detection_type="LNK_suspicious_binary_from_temp", 90,
    detection_type="LNK_icon_field_dns_lookup", 70,
    detection_type="LNK_creation_by_scripting_engine", 65,
    true(), 50
)
| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, QueryName, ParentImage
| sort -risk_score

severity confidence

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [file where event.action == "creation" and file.extension == "lnk" and
   process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")]
  [any where event.category in ("network", "process") and process.name == "explorer.exe"]

/* Standalone: padded commandline from explorer */
process where event.type == "start" and
  process.parent.name == "explorer.exe" and
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe") and
  process.command_line regex~ ".*\\s{15,}.*"

/* Standalone: suspicious binary execution from temp via explorer */
process where event.type == "start" and
  process.parent.name == "explorer.exe" and
  (
    process.name == "office.exe" or
    (process.executable regex~ "(?i).*(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\|\\\\AppData\\\\Roaming\\\\).*\.exe")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Elastic Agent Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-endpoint.events.network-* logs-windows.sysmon_operational-*

False Positives

Legitimate software installers creating LNK shortcuts via cmd.exe or PowerShell during installation workflows
IT automation scripts (PDQ Deploy, SCCM) that create desktop shortcuts programmatically
Developer tools that launch explorer.exe child processes with long argument strings for legitimate application execution

IBM QRadar (AQL)

sql

/* LNK Creation by Scripting Engine - Sysmon EventID 11 */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  "Computer" AS hostname,
  "Image" AS initiating_process,
  "TargetFilename" AS lnk_file_path,
  CASE
    WHEN "Image" LIKE '%\\powershell.exe' THEN 'LNK_creation_by_powershell'
    WHEN "Image" LIKE '%\\cmd.exe' THEN 'LNK_creation_by_cmd'
    WHEN "Image" LIKE '%\\wscript.exe' OR "Image" LIKE '%\\cscript.exe' THEN 'LNK_creation_by_script_host'
    WHEN "Image" LIKE '%\\mshta.exe' OR "Image" LIKE '%\\rundll32.exe' THEN 'LNK_creation_by_lolbin'
    ELSE 'LNK_creation_suspicious'
  END AS detection_type,
  85 AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND "EventID" = '11'
  AND LOWER("TargetFilename") LIKE '%.lnk'
  AND (
    "Image" LIKE '%\\powershell.exe'
    OR "Image" LIKE '%\\cmd.exe'
    OR "Image" LIKE '%\\wscript.exe'
    OR "Image" LIKE '%\\cscript.exe'
    OR "Image" LIKE '%\\mshta.exe'
    OR "Image" LIKE '%\\rundll32.exe'
    OR "Image" LIKE '%\\regsvr32.exe'
    OR "Image" LIKE '%\\certutil.exe'
  )
  AND LOGSOURCETYPEID(devicetype) IN (SELECT id FROM SupportedLogSourceType WHERE name LIKE '%Microsoft Windows%' OR name LIKE '%Sysmon%')

UNION ALL

/* LNK Padded Commandline Execution - Sysmon EventID 1 */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  "Computer" AS hostname,
  "Image" AS initiating_process,
  "CommandLine" AS lnk_file_path,
  'LNK_padded_commandline_execution' AS detection_type,
  90 AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
  AND "EventID" = '1'
  AND LOWER("ParentImage") LIKE '%\\explorer.exe'
  AND (
    LOWER("Image") LIKE '%\\powershell.exe'
    OR LOWER("Image") LIKE '%\\cmd.exe'
    OR LOWER("Image") LIKE '%\\wscript.exe'
    OR LOWER("Image") LIKE '%\\mshta.exe'
  )
  AND REGEXP_MATCH("CommandLine", '.*\\s{15,}.*')

UNION ALL

/* LNK Suspicious Binary from Temp - Sysmon EventID 1 */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  "Computer" AS hostname,
  "Image" AS initiating_process,
  "CommandLine" AS lnk_file_path,
  'LNK_suspicious_binary_from_temp' AS detection_type,
  95 AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
  AND "EventID" = '1'
  AND LOWER("ParentImage") LIKE '%\\explorer.exe'
  AND (
    LOWER("Image") LIKE '%\\office.exe'
    OR (
      (LOWER("Image") LIKE '%\\temp\\%' OR LOWER("Image") LIKE '%\\appdata\\local\\temp\\%' OR LOWER("Image") LIKE '%\\appdata\\roaming\\%')
      AND LOWER("Image") LIKE '%.exe'
    )
  )
ORDER BY risk_score DESC
LAST 3 HOURS

high severity medium confidence

Data Sources

Sysmon forwarded to QRadar via Windows Event Log Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise software deployment tools creating LNK shortcuts during installation using cmd.exe or PowerShell
Legitimate portable application launchers stored in AppData\Roaming that are executed via desktop shortcuts
Security scanning or EDR tools that invoke explorer.exe child processes with long diagnostic command lines

Sumo Logic CSE

sql

/* T1027.012 - LNK Icon Smuggling - Sumo Logic CSE / Sysmon */
(_sourceCategory="windows/sysmon" OR _sourceCategory="*WinEventLog*Sysmon*")
| json auto
| where EventID in ("1", "11", "22")
| eval detection_type = ""
/* LNK file creation by scripting engine (EventID 11) */
| where (EventID = "11" AND toLowerCase(TargetFilename) matches "%.lnk"
  AND (
    Image matches "*\\powershell.exe" OR Image matches "*\\cmd.exe" OR
    Image matches "*\\wscript.exe" OR Image matches "*\\cscript.exe" OR
    Image matches "*\\mshta.exe" OR Image matches "*\\rundll32.exe" OR
    Image matches "*\\regsvr32.exe" OR Image matches "*\\certutil.exe"
  ))
  OR
/* Padded commandline from explorer.exe (EventID 1, Kimsuky) */
  (EventID = "1" AND
  (Image matches "*\\powershell.exe" OR Image matches "*\\cmd.exe" OR
   Image matches "*\\wscript.exe" OR Image matches "*\\mshta.exe") AND
  ParentImage matches "*\\explorer.exe" AND
  CommandLine matches "*                 *")
  OR
/* Suspicious binary from Temp via explorer.exe (EventID 1, Mustang Panda) */
  (EventID = "1" AND ParentImage matches "*\\explorer.exe" AND
  (
    toLowerCase(Image) matches "*\\office.exe" OR
    (toLowerCase(CommandLine) matches "*\\temp\\*.exe" OR toLowerCase(CommandLine) matches "*\\appdata\\local\\temp\\*.exe" OR toLowerCase(CommandLine) matches "*\\appdata\\roaming\\*.exe")
  ))
  OR
/* DNS lookup from explorer.exe for non-standard domains (EventID 22) */
  (EventID = "22" AND Image matches "*\\explorer.exe" AND
  (
    QueryName matches "*.ps1" OR QueryName matches "*.exe" OR QueryName matches "*.dll" OR
    !(QueryName matches "*.microsoft.com" OR QueryName matches "*.windows.com" OR QueryName matches "*.windowsupdate.com")
  ))
| eval detection_type = if(EventID = "11" AND toLowerCase(TargetFilename) matches "%.lnk", "LNK_creation_by_scripting_engine",
    if(EventID = "1" AND CommandLine matches "*                 *", "LNK_padded_commandline_execution",
    if(EventID = "1" AND (toLowerCase(Image) matches "*\\office.exe" OR toLowerCase(CommandLine) matches "*\\temp\\*.exe"), "LNK_suspicious_binary_from_temp",
    if(EventID = "22", "LNK_icon_field_dns_lookup", "LNK_unknown"))))
| eval risk_score = if(detection_type = "LNK_suspicious_binary_from_temp", 90,
    if(detection_type = "LNK_padded_commandline_execution", 85,
    if(detection_type = "LNK_icon_field_dns_lookup", 70,
    if(detection_type = "LNK_creation_by_scripting_engine", 65, 50))))
| fields _messageTime, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, QueryName, ParentImage
| sort by risk_score desc

high severity medium confidence

Data Sources

Sysmon Operational logs via Sumo Logic Installed Collector Windows Event Forwarding to Sumo Logic

Required Tables

_sourceCategory=windows/sysmon

False Positives

Software installation packages that create LNK shortcuts using cmd.exe or PowerShell as part of setup wizards
Remote management tools (e.g., desktop shortcuts to internal web apps) that cause explorer.exe DNS lookups to internal domains not matching microsoft.com
Legitimate portable applications stored in AppData\Roaming that contain spaces in their installation paths triggering the padded commandline heuristic

Google Chronicle / SecOps

yaral

rule lnk_icon_smuggling_t1027_012 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.012 LNK Icon Smuggling via scripting engine LNK creation, padded commandlines, and suspicious binary execution from temp paths"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.012"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      /* Pattern 1: LNK creation by scripting engine */
      (
        $e1.metadata.event_type = "FILE_CREATION"
        and re.regex($e1.target.file.full_path, `(?i)\.lnk$`)
        and re.regex($e1.principal.process.file.full_path,
          `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
      )
      or
      /* Pattern 2: Padded commandline execution via explorer.exe (Kimsuky) */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.principal.process.file.full_path, `(?i)\\explorer\.exe$`)
        and re.regex($e1.target.process.file.full_path,
          `(?i)(powershell|cmd|wscript|cscript|mshta|regsvr32|rundll32)\.exe$`)
        and re.regex($e1.target.process.command_line, `\s{15,}`)
      )
      or
      /* Pattern 3: Suspicious binary from Temp/AppData via explorer.exe (Mustang Panda/TONESHELL) */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.principal.process.file.full_path, `(?i)\\explorer\.exe$`)
        and (
          re.regex($e1.target.process.file.full_path, `(?i)\\office\.exe$`)
          or re.regex($e1.target.process.file.full_path,
            `(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\).*\.exe$`)
        )
      )
      or
      /* Pattern 4: DNS query from explorer.exe for suspicious domains (icon field fetch) */
      (
        $e1.metadata.event_type = "NETWORK_DNS"
        and re.regex($e1.principal.process.file.full_path, `(?i)\\explorer\.exe$`)
        and (
          re.regex($e1.network.dns.questions.name, `(?i)\.(ps1|exe|dll|bat|vbs)$`)
          and not re.regex($e1.network.dns.questions.name,
            `(?i)(microsoft\.com|windows\.com|windowsupdate\.com|office\.com)$`)
        )
      )
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Windows Sysmon via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle ingestion Windows Security Events via Chronicle forwarder

Required Tables

UDM Events - FILE_CREATION UDM Events - PROCESS_LAUNCH UDM Events - NETWORK_DNS

False Positives

Automated build or CI/CD systems that generate LNK shortcuts via PowerShell scripts during artifact packaging
Enterprise application launchers (e.g., Citrix, VMware Horizon) that use explorer.exe to open shortcuts with long path arguments
Security tools performing DNS resolution through explorer.exe process context for threat intelligence lookups

CrowdStrike LogScale (CQL)

cql

// T1027.012 - LNK Icon Smuggling - CrowdStrike LogScale (CQL)
// Pattern 1: LNK file creation by scripting engines
#event_simpleName = "NewExecutableWritten"
| TargetFileName = /(?i)\.lnk$/
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$/
| eval detection_type = "LNK_creation_by_scripting_engine"
| eval risk_score = 65

// Pattern 2: Padded commandline execution from explorer.exe (Kimsuky)
| union [
  #event_simpleName = "ProcessRollup2"
  | ParentBaseFileName = "explorer.exe"
  | ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|regsvr32|rundll32)\.exe$/
  | CommandLine = /\s{15,}/
  | eval detection_type = "LNK_padded_commandline_execution"
  | eval risk_score = 85
]

// Pattern 3: Suspicious binary from Temp/AppData via explorer.exe (Mustang Panda/TONESHELL)
| union [
  #event_simpleName = "ProcessRollup2"
  | ParentBaseFileName = "explorer.exe"
  | (
      ImageFileName = /(?i)\\office\.exe$/
      or ImageFileName = /(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\).*\.exe$/
    )
  | eval detection_type = "LNK_suspicious_binary_from_temp"
  | eval risk_score = 90
]

// Pattern 4: DNS request from explorer.exe for suspicious hostnames (icon field URL fetch)
| union [
  #event_simpleName = "DnsRequest"
  | ContextBaseFileName = "explorer.exe"
  | DomainName = /(?i)\.(ps1|exe|dll|bat|vbs)$/
  | DomainName != /(?i)(microsoft\.com|windows\.com|windowsupdate\.com|office\.com)$/
  | eval detection_type = "LNK_icon_field_dns_lookup"
  | eval risk_score = 70
]

// Aggregate and present results
| groupBy([ComputerName, detection_type], function=[
    count(as=event_count),
    max(risk_score, as=max_risk_score),
    collect([CommandLine, ImageFileName, TargetFileName, DomainName, ParentBaseFileName], limit=10)
  ])
| sort(max_risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events Falcon DnsRequest events Falcon NewExecutableWritten events

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NewExecutableWritten #event_simpleName=DnsRequest

False Positives

Legitimate software packagers or installers that write LNK files to disk using cmd.exe or PowerShell as part of setup routines
Custom enterprise launchers that invoke explorer.exe with lengthy UNC paths or environment variable expansions that exceed the padding threshold
Internal IT tooling stored in AppData that executes via desktop shortcuts causing explorer.exe to launch binaries from non-Program Files paths

LNK Icon Smuggling

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections