Detect LNK Stomping
Query
//Detecting LNK stomping🦶
// https://www.linkedin.com/posts/0x534c_windows-smart-app-control-smartscreen-bypass-activity-7226483357625282560-2kOU/
//A bug in the handling of LNK files, can help threat actors bypass Smart App Control security controls designed to block untrusted applications. The below KQL should detect the behavioral signal of LNK stomping.
DeviceFileEvents
| where ActionType == "FileModified"
| where FileName endswith ".lnk"
| where InitiatingProcessFileName has "explorer.exe"
// #MDE #DefenderXDR #BypassSmartAppControl #MotW
// MITRE ATT&CK Mapping
// This query is related to the MITRE ATT&CK technique T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification1. This technique involves adversaries creating or modifying shortcuts that can execute a program during system boot or user login. By monitoring for modifications to .lnk files initiated by explorer.exe, this query helps detect potential malicious activities where shortcuts are altered to execute unwanted programs.Explanation
This query is designed to detect a specific type of suspicious activity known as "LNK stomping." It focuses on identifying when shortcut files (with the ".lnk" extension) are modified on a device. The query specifically looks for modifications initiated by the "explorer.exe" process, which is the Windows file manager. This behavior might indicate an attempt to bypass security controls, such as Smart App Control, which are meant to block untrusted applications. The query is associated with a known technique (T1547.009) where attackers modify shortcuts to execute programs during system startup or user login, potentially leading to malicious activities.
