LNK
TL;DR
LNK Files are Windows Shortcut Files that serve as a pointer to an application or file commonly found on a user’s desktop, or throughout a system and end with a .lnk extension. These files can be created by the user, or automatically by the Windows operating system. LNK Files are extensively used as a medium to deploy malware and/or establish persistence.
Fig 1: Simply edit the "Main" at the the bottom of the PowerShell script and uncomment LNK and LNK_Hunt
Function LNK
Step 1 - Scanning forensic/ntfs directory of MemProcFS for LNK Files w/ YARA.
Step 2 - Parsing LNK File Structure w/ lnk_parser
[Info] Scanning for Windows Shortcut Files (LNK) w/ YARA [time-consuming task] ...
[Info] YARA scan duration: 00 h 10 min 39 sec
[Info] 92 SHLLINK artifacts found
[Info] Parsing SHLLINK artifacts (LNK) w/ lnk_parser ...
Function LNK_Hunt
Step 3 - Hunting for Malicious LNK Files
Fig 2: YARA rule
| File | Description |
|---|---|
| .\LNK\LNK-Files.txt | List of LNK-Files found in Physical Memory |
| .\LNK\lnk_parser\CSV\lnk_parser.csv | Default CSV Outout |
| .\LNK\lnk_parser\CSV\lnk_parser-hunt.csv | Custom CSV (for Hunting Malicious LNK Files) |
| .\LNK\lnk_parser\XLSX\lnk_parser.xlsx | Default XLSX Output |
| .\LNK\lnk_parser\XLSX\lnk_parser-hunt.xlsx | Custom XLSX (for Hunting Malicious LNK Files) |
| .\LNK\Hunt\CSV | Hunting Rules CSV Output |
| .\LNK\Hunt\XLSX | Hunting Rules XLSX Output |
**# Links**    
**Last updated: 2022-09-06**