T1027.012 Microsoft Sentinel · KQL

Detect LNK Icon Smuggling in Microsoft Sentinel

Adversaries abuse Windows shortcut (.LNK) files to smuggle malicious payloads past content filters. LNK files contain metadata fields including an icon location field (IconEnvironmentDataBlock) designed to specify an icon file path. Adversaries exploit this field to reference external URLs that trigger payload downloads when the LNK is invoked. They also abuse the LNK target path field to embed interpreter commands with obfuscated arguments, often padding target fields with extra spaces to hide the malicious portion from casual inspection. Threat actors including Kimsuky, Gamaredon Group, Mustang Panda, and TONESHELL malware have weaponized LNK files with spoofed PDF icons to trick users into executing malicious binaries.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.012 LNK Icon Smuggling
Canonical reference
https://attack.mitre.org/techniques/T1027/012/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1027.012 - LNK Icon Smuggling
// Detect suspicious LNK file creation and network connections triggered by LNK icon field
let SuspiciousLnkCreators = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".lnk"
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
| project DeviceId, DeviceName, LnkCreationTime=Timestamp, LnkFileName=FileName, LnkFolderPath=FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName;
let LnkInducedNetwork = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "explorer.exe"
| where RemoteUrl has_any ("http://", "https://", ".ps1", ".exe", ".dll", ".bat", ".vbs")
| where RemotePort in (80, 443, 8080, 8443)
| project DeviceId, DeviceName, NetworkTime=Timestamp, RemoteUrl, RemoteIP, RemotePort;
SuspiciousLnkCreators
| join kind=leftouter (
    LnkInducedNetwork
) on DeviceId
| union (
    // LNK files spawning processes with heavily padded command lines (Kimsuky pattern)
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "explorer.exe"
    | where ProcessCommandLine matches regex @"\s{20,}"
    | where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
    | extend Detection = "LNK_padded_commandline"
)
| union (
    // LNK executing office.exe or renamed binaries from temp/appdata (Mustang Panda/TONESHELL)
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "explorer.exe"
    | where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\")
    | where FileName =~ "office.exe" or (FileName endswith ".exe" and FolderPath !has "Program Files")
    | extend Detection = "LNK_suspicious_binary_execution"
)
| extend Detection = coalesce(Detection, "LNK_payload_creation")
| project-reorder Timestamp, DeviceName, Detection, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine
medium severity medium confidence

Joins LNK file creation events from scripting engines with subsequent network connections triggered by explorer.exe (indicating LNK execution). Also detects Kimsuky's extra-space padding pattern and TONESHELL/Mustang Panda's office.exe binary execution from temp directories. Tune InitiatingProcessFileName whitelist for legitimate LNK creators in your environment.

Download portable Sigma rule (.yml)

Other platforms for T1027.012

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create LNK with External Icon URL

    Expected signal: Sysmon EventCode 11 (FileCreate) for the .lnk file creation. EventCode 1 (ProcessCreate) showing powershell.exe creating the file via WScript.Shell COM object.

  2. Test 2LNK with Padded Target Path (Kimsuky Evasion)

    Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. If executed: EventCode 1 showing cmd.exe spawned from explorer.exe with 260 spaces in CommandLine, then child powershell.exe process.

  3. Test 3LNK with PDF Icon Spoofing (Mustang Panda/TONESHELL Pattern)

    Expected signal: Sysmon EventCode 11 for LNK creation. EventCode 1 for calc.exe (renamed as office.exe) execution from %TEMP% if the LNK is invoked. EventCode 11 for office.exe copy operation.

  4. Test 4LNK Executed via Script (Automated Execution Pattern)

    Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. EventCode 1 for cmd.exe spawned from powershell.exe. If icon URL were external: EventCode 22 DNS query and EventCode 3 network connection.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1027.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections