Detect LNK Icon Smuggling in IBM QRadar
Adversaries abuse Windows shortcut (.LNK) files to smuggle malicious payloads past content filters. LNK files contain metadata fields including an icon location field (IconEnvironmentDataBlock) designed to specify an icon file path. Adversaries exploit this field to reference external URLs that trigger payload downloads when the LNK is invoked. They also abuse the LNK target path field to embed interpreter commands with obfuscated arguments, often padding target fields with extra spaces to hide the malicious portion from casual inspection. Threat actors including Kimsuky, Gamaredon Group, Mustang Panda, and TONESHELL malware have weaponized LNK files with spoofed PDF icons to trick users into executing malicious binaries.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.012 LNK Icon Smuggling
- Canonical reference
- https://attack.mitre.org/techniques/T1027/012/
QRadar Detection Query
/* LNK Creation by Scripting Engine - Sysmon EventID 11 */
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
"Computer" AS hostname,
"Image" AS initiating_process,
"TargetFilename" AS lnk_file_path,
CASE
WHEN "Image" LIKE '%\\powershell.exe' THEN 'LNK_creation_by_powershell'
WHEN "Image" LIKE '%\\cmd.exe' THEN 'LNK_creation_by_cmd'
WHEN "Image" LIKE '%\\wscript.exe' OR "Image" LIKE '%\\cscript.exe' THEN 'LNK_creation_by_script_host'
WHEN "Image" LIKE '%\\mshta.exe' OR "Image" LIKE '%\\rundll32.exe' THEN 'LNK_creation_by_lolbin'
ELSE 'LNK_creation_suspicious'
END AS detection_type,
85 AS risk_score
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
AND QIDNAME(qid) LIKE '%Sysmon%'
AND "EventID" = '11'
AND LOWER("TargetFilename") LIKE '%.lnk'
AND (
"Image" LIKE '%\\powershell.exe'
OR "Image" LIKE '%\\cmd.exe'
OR "Image" LIKE '%\\wscript.exe'
OR "Image" LIKE '%\\cscript.exe'
OR "Image" LIKE '%\\mshta.exe'
OR "Image" LIKE '%\\rundll32.exe'
OR "Image" LIKE '%\\regsvr32.exe'
OR "Image" LIKE '%\\certutil.exe'
)
AND LOGSOURCETYPEID(devicetype) IN (SELECT id FROM SupportedLogSourceType WHERE name LIKE '%Microsoft Windows%' OR name LIKE '%Sysmon%')
UNION ALL
/* LNK Padded Commandline Execution - Sysmon EventID 1 */
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
"Computer" AS hostname,
"Image" AS initiating_process,
"CommandLine" AS lnk_file_path,
'LNK_padded_commandline_execution' AS detection_type,
90 AS risk_score
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
AND "EventID" = '1'
AND LOWER("ParentImage") LIKE '%\\explorer.exe'
AND (
LOWER("Image") LIKE '%\\powershell.exe'
OR LOWER("Image") LIKE '%\\cmd.exe'
OR LOWER("Image") LIKE '%\\wscript.exe'
OR LOWER("Image") LIKE '%\\mshta.exe'
)
AND REGEXP_MATCH("CommandLine", '.*\\s{15,}.*')
UNION ALL
/* LNK Suspicious Binary from Temp - Sysmon EventID 1 */
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
"Computer" AS hostname,
"Image" AS initiating_process,
"CommandLine" AS lnk_file_path,
'LNK_suspicious_binary_from_temp' AS detection_type,
95 AS risk_score
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
AND "EventID" = '1'
AND LOWER("ParentImage") LIKE '%\\explorer.exe'
AND (
LOWER("Image") LIKE '%\\office.exe'
OR (
(LOWER("Image") LIKE '%\\temp\\%' OR LOWER("Image") LIKE '%\\appdata\\local\\temp\\%' OR LOWER("Image") LIKE '%\\appdata\\roaming\\%')
AND LOWER("Image") LIKE '%.exe'
)
)
ORDER BY risk_score DESC
LAST 3 HOURSAQL detection for T1027.012 using Sysmon events ingested into QRadar. Covers LNK file creation by scripting engines (EventID 11), padded commandline execution via explorer.exe (EventID 1, Kimsuky pattern), and suspicious binary execution from temp paths (EventID 1, Mustang Panda/TONESHELL pattern). Results are ordered by risk score.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment tools creating LNK shortcuts during installation using cmd.exe or PowerShell
- Legitimate portable application launchers stored in AppData\Roaming that are executed via desktop shortcuts
- Security scanning or EDR tools that invoke explorer.exe child processes with long diagnostic command lines
Other platforms for T1027.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create LNK with External Icon URL
Expected signal: Sysmon EventCode 11 (FileCreate) for the .lnk file creation. EventCode 1 (ProcessCreate) showing powershell.exe creating the file via WScript.Shell COM object.
- Test 2LNK with Padded Target Path (Kimsuky Evasion)
Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. If executed: EventCode 1 showing cmd.exe spawned from explorer.exe with 260 spaces in CommandLine, then child powershell.exe process.
- Test 3LNK with PDF Icon Spoofing (Mustang Panda/TONESHELL Pattern)
Expected signal: Sysmon EventCode 11 for LNK creation. EventCode 1 for calc.exe (renamed as office.exe) execution from %TEMP% if the LNK is invoked. EventCode 11 for office.exe copy operation.
- Test 4LNK Executed via Script (Automated Execution Pattern)
Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. EventCode 1 for cmd.exe spawned from powershell.exe. If icon URL were external: EventCode 22 DNS query and EventCode 3 network connection.
References (7)
- https://attack.mitre.org/techniques/T1027/012
- https://unprotect.it/technique/shortcut-hiding/
- https://www.uperesia.com/booby-trapped-shortcut
- https://www.securonix.com/blog/detecting-kimsuky-lnk-attack-chain/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine-usb
- https://blog.talosintelligence.com/mustang-panda-plugx-pubload/
- https://www.sophos.com/en-us/threat-center/threat-analyses/mustang-panda-plugx
Unlock Pro Content
Get the full detection package for T1027.012 including response playbook, investigation guide, and atomic red team tests.