T1027.012 Sumo Logic CSE · Sumo

Detect LNK Icon Smuggling in Sumo Logic CSE

Adversaries abuse Windows shortcut (.LNK) files to smuggle malicious payloads past content filters. LNK files contain metadata fields including an icon location field (IconEnvironmentDataBlock) designed to specify an icon file path. Adversaries exploit this field to reference external URLs that trigger payload downloads when the LNK is invoked. They also abuse the LNK target path field to embed interpreter commands with obfuscated arguments, often padding target fields with extra spaces to hide the malicious portion from casual inspection. Threat actors including Kimsuky, Gamaredon Group, Mustang Panda, and TONESHELL malware have weaponized LNK files with spoofed PDF icons to trick users into executing malicious binaries.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.012 LNK Icon Smuggling
Canonical reference
https://attack.mitre.org/techniques/T1027/012/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
/* T1027.012 - LNK Icon Smuggling - Sumo Logic CSE / Sysmon */
(_sourceCategory="windows/sysmon" OR _sourceCategory="*WinEventLog*Sysmon*")
| json auto
| where EventID in ("1", "11", "22")
| eval detection_type = ""
/* LNK file creation by scripting engine (EventID 11) */
| where (EventID = "11" AND toLowerCase(TargetFilename) matches "%.lnk"
  AND (
    Image matches "*\\powershell.exe" OR Image matches "*\\cmd.exe" OR
    Image matches "*\\wscript.exe" OR Image matches "*\\cscript.exe" OR
    Image matches "*\\mshta.exe" OR Image matches "*\\rundll32.exe" OR
    Image matches "*\\regsvr32.exe" OR Image matches "*\\certutil.exe"
  ))
  OR
/* Padded commandline from explorer.exe (EventID 1, Kimsuky) */
  (EventID = "1" AND
  (Image matches "*\\powershell.exe" OR Image matches "*\\cmd.exe" OR
   Image matches "*\\wscript.exe" OR Image matches "*\\mshta.exe") AND
  ParentImage matches "*\\explorer.exe" AND
  CommandLine matches "*                 *")
  OR
/* Suspicious binary from Temp via explorer.exe (EventID 1, Mustang Panda) */
  (EventID = "1" AND ParentImage matches "*\\explorer.exe" AND
  (
    toLowerCase(Image) matches "*\\office.exe" OR
    (toLowerCase(CommandLine) matches "*\\temp\\*.exe" OR toLowerCase(CommandLine) matches "*\\appdata\\local\\temp\\*.exe" OR toLowerCase(CommandLine) matches "*\\appdata\\roaming\\*.exe")
  ))
  OR
/* DNS lookup from explorer.exe for non-standard domains (EventID 22) */
  (EventID = "22" AND Image matches "*\\explorer.exe" AND
  (
    QueryName matches "*.ps1" OR QueryName matches "*.exe" OR QueryName matches "*.dll" OR
    !(QueryName matches "*.microsoft.com" OR QueryName matches "*.windows.com" OR QueryName matches "*.windowsupdate.com")
  ))
| eval detection_type = if(EventID = "11" AND toLowerCase(TargetFilename) matches "%.lnk", "LNK_creation_by_scripting_engine",
    if(EventID = "1" AND CommandLine matches "*                 *", "LNK_padded_commandline_execution",
    if(EventID = "1" AND (toLowerCase(Image) matches "*\\office.exe" OR toLowerCase(CommandLine) matches "*\\temp\\*.exe"), "LNK_suspicious_binary_from_temp",
    if(EventID = "22", "LNK_icon_field_dns_lookup", "LNK_unknown"))))
| eval risk_score = if(detection_type = "LNK_suspicious_binary_from_temp", 90,
    if(detection_type = "LNK_padded_commandline_execution", 85,
    if(detection_type = "LNK_icon_field_dns_lookup", 70,
    if(detection_type = "LNK_creation_by_scripting_engine", 65, 50))))
| fields _messageTime, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, QueryName, ParentImage
| sort by risk_score desc
high severity medium confidence

Sumo Logic detection for T1027.012 LNK Icon Smuggling using Sysmon operational logs. Detects four behavioral patterns: LNK creation by scripting engines (Sysmon 11), padded commandline execution via explorer.exe (Sysmon 1, Kimsuky), suspicious binary execution from temp paths (Sysmon 1, Mustang Panda/TONESHELL), and DNS lookups triggered by LNK icon fields (Sysmon 22). Results include risk scoring.

Data Sources

Sysmon Operational logs via Sumo Logic Installed CollectorWindows Event Forwarding to Sumo Logic

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Software installation packages that create LNK shortcuts using cmd.exe or PowerShell as part of setup wizards
  • Remote management tools (e.g., desktop shortcuts to internal web apps) that cause explorer.exe DNS lookups to internal domains not matching microsoft.com
  • Legitimate portable applications stored in AppData\Roaming that contain spaces in their installation paths triggering the padded commandline heuristic
Download portable Sigma rule (.yml)

Other platforms for T1027.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create LNK with External Icon URL

    Expected signal: Sysmon EventCode 11 (FileCreate) for the .lnk file creation. EventCode 1 (ProcessCreate) showing powershell.exe creating the file via WScript.Shell COM object.

  2. Test 2LNK with Padded Target Path (Kimsuky Evasion)

    Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. If executed: EventCode 1 showing cmd.exe spawned from explorer.exe with 260 spaces in CommandLine, then child powershell.exe process.

  3. Test 3LNK with PDF Icon Spoofing (Mustang Panda/TONESHELL Pattern)

    Expected signal: Sysmon EventCode 11 for LNK creation. EventCode 1 for calc.exe (renamed as office.exe) execution from %TEMP% if the LNK is invoked. EventCode 11 for office.exe copy operation.

  4. Test 4LNK Executed via Script (Automated Execution Pattern)

    Expected signal: Sysmon EventCode 11 for LNK creation by powershell.exe. EventCode 1 for cmd.exe spawned from powershell.exe. If icon URL were external: EventCode 22 DNS query and EventCode 3 network connection.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1027.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections