1. Home
  2. ATT&CK Techniques
  3. T1027.012 LNK Icon Smuggling

T1027.012 LNK Icon Smuggling

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1027.012 LNK Icon Smuggling
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.IR-01.08 End-user device access Mitigates T1027.012 LNK Icon Smuggling
    Comments
    This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
    References
      PR.PS-01.01 Configuration baselines Mitigates T1027.012 LNK Icon Smuggling
      Comments
      This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
      References
        PR.PS-01.08 End-user device protection Mitigates T1027.012 LNK Icon Smuggling
        Comments
        This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
        References
          PR.PS-01.08 End-user device protection Mitigates T1027.012 LNK Icon Smuggling
          Comments
          This diagnostic statement protects against LNK Icon Smuggling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            SI-03 Malicious Code Protection mitigates T1027.012 LNK Icon Smuggling
            SI-04 System Monitoring mitigates T1027.012 LNK Icon Smuggling

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1027.012 LNK Icon Smuggling
            action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.012 LNK Icon Smuggling

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1027.012 LNK Icon Smuggling
            Comments
            This control can protect against LNK icon smuggling.
            References
            1. https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            cloud_ids Cloud IDS technique_scores T1027.012 LNK Icon Smuggling
            Comments
            Google Cloud IDS can detect network-based threats like malicious software.
            References
            1. ['https://cloud.google.com/intrusion-detection-system'
            2. 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']