[Osquery_manager] LNK artifacts saved query

[tomsonpl]

Windows LNK Forensics Artifact

Detects suspicious Windows LNK (shortcut) files in critical persistence locations with advanced pattern detection and shellbags enrichment. Focuses on risky executables, malicious command-line arguments, download cradles, and UNC path abuse in Startup folders and Public Desktop locations.

Read: https://p.elstc.co/paste/5zrvrCXl#WOQWWEj62EM0utP1pyuZg4gejeGCKCWGJqVy0YbBPjB

Core Forensic Artifacts Coverage Table

#	Artifact	✓	OS	Query	File	Description
1	Windows LNK Files	✅	Windows	lnk_forensics_windows_elastic	a1b2c3d4	Collect Windows LNK shortcut files from critical persistence and public locations with suspicious indicators enriched with shellbags data

---

Queries by Platform

---

🪟 Windows - LNK Shortcut File Forensics with Suspicious Pattern Detection

Description

Collects and analyzes Windows LNK (shortcut) files from critical system-wide persistence locations and public areas. This query enriches LNK file metadata with shellbags registry data to correlate shortcut targets with Windows Explorer directory access patterns. It implements multi-layered detection focusing on persistence mechanisms, risky executable targets, and malicious command-line patterns.

Risk Scoring Methodology:

The query implements binary flag-based detection across multiple threat vectors:

• Large File Size: LNK files over 20KB (unusual and potentially malicious)
• Startup Persistence: Files in Startup folders (automatic execution on logon)
• Risky Executables: cmd.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe, regsvr32.exe, mshta.exe, wmic.exe, conhost.exe
• Suspicious Arguments: Encoded commands, hidden windows, download cradles, Base64 payloads, temp directory execution
• HTTP Download Cradles: URLs in command-line indicating remote payload fetching
• UNC Path Usage: Network path references suggesting lateral movement or remote execution
• Large Arguments: Command-line arguments exceeding 250 characters

Detection Focus:

• Persistence via Startup folder LNK files
• Living-off-the-land binary (LOLBin) abuse through shortcuts
• PowerShell and command shell obfuscation techniques
• Remote payload download and execution patterns
• Lateral movement via UNC paths
• User activity correlation through shellbags registry data
• Excludes common legitimate Office and Windows shortcuts from Public Desktop

Result

This query returns LNK files with suspicious characteristics, including full file metadata, cryptographic hashes, target executable paths, command-line arguments, and correlated shellbags data. Binary flags indicate specific threat indicators for rapid triage.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

lnk_forensics_windows_elastic

ECS Field Mappings

• file.path → path
• file.name → filename
• file.directory → directory
• file.size → size
• file.created → btime
• file.mtime → mtime
• file.accessed → atime
• file.ctime → ctime
• file.type → type
• file.hash.md5 → md5
• file.hash.sha1 → sha1
• file.hash.sha256 → sha256
• file.extension → extension
• process.executable → shortcut_target_path
• process.command_line → combined_command
• user.id → shellbags_sid
• registry.path → shellbags_source

SQL Query

-- Windows LNK Shortcut File Forensics with Suspicious Pattern Detection + Shellbags Enrichment
-- Source: file table with native Windows shortcut parsing + shellbags registry data
-- Focus: Risky executables, malicious arguments, large files, persistence mechanisms
-- Scope: System-wide Startup folder and Public Desktop only (osquery constraint requirement)

WITH lnk_files AS (
    SELECT
        f.path,
        f.filename,
        f.directory,
        f.size,
        f.btime,
        f.mtime,
        f.atime,
        f.ctime,
        f.type,
        f.shortcut_target_path,
        f.shortcut_target_type,
        f.shortcut_target_location,
        f.shortcut_start_in,
        f.shortcut_run,
        f.shortcut_comment,
        'lnk' AS extension,
        CASE
            WHEN f.shortcut_target_path IS NOT NULL AND f.shortcut_comment IS NOT NULL
            THEN f.shortcut_target_path || ' ' || f.shortcut_comment
            WHEN f.shortcut_target_path IS NOT NULL
            THEN f.shortcut_target_path
            ELSE f.shortcut_comment
        END AS combined_command
    FROM file f
    WHERE (
        f.directory = 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
        OR f.directory = 'C:\Users\Public\Desktop'
    )
    AND f.filename LIKE '%.lnk'
)
SELECT
    lnk.path,
    lnk.filename,
    lnk.directory,
    lnk.size,
    lnk.btime,
    lnk.mtime,
    lnk.atime,
    lnk.ctime,
    lnk.type,
    lnk.shortcut_target_path,
    lnk.shortcut_target_type,
    lnk.shortcut_target_location,
    lnk.shortcut_start_in,
    lnk.shortcut_run,
    lnk.shortcut_comment,
    lnk.combined_command,
    lnk.extension,
    h.md5,
    h.sha1,
    h.sha256,
    sb.sid AS shellbags_sid,
    sb.source AS shellbags_source,
    sb.modified_time AS shellbags_modified_time,
    sb.created_time AS shellbags_created_time,
    sb.accessed_time AS shellbags_accessed_time,
    sb.mft_entry AS shellbags_mft_entry,
    CASE WHEN lnk.size > 20000 THEN 1 ELSE 0 END AS large_size_flag,
    CASE WHEN lnk.directory LIKE '%\Startup%' THEN 1 ELSE 0 END AS startup_persistence_flag,
    CASE
        WHEN lnk.shortcut_target_path LIKE '%\cmd.exe'
            OR lnk.shortcut_target_path LIKE '%\powershell.exe'
            OR lnk.shortcut_target_path LIKE '%\cscript.exe'
            OR lnk.shortcut_target_path LIKE '%\wscript.exe'
            OR lnk.shortcut_target_path LIKE '%\rundll32.exe'
            OR lnk.shortcut_target_path LIKE '%\regsvr32.exe'
            OR lnk.shortcut_target_path LIKE '%\mshta.exe'
            OR lnk.shortcut_target_path LIKE '%\wmic.exe'
            OR lnk.shortcut_target_path LIKE '%\conhost.exe'
        THEN 1 ELSE 0
    END AS risky_executable_flag,
    CASE
        WHEN lnk.combined_command LIKE '%\AppData\%'
            OR lnk.combined_command LIKE '%\Users\Public\%'
            OR lnk.combined_command LIKE '%\Temp\%'
            OR lnk.combined_command LIKE '%comspec%'
            OR lnk.combined_command LIKE '%&cd&echo%'
            OR lnk.combined_command LIKE '% -NoP %'
            OR lnk.combined_command LIKE '% -W Hidden %'
            OR lnk.combined_command LIKE '% -decode %'
            OR lnk.combined_command LIKE '% /decode %'
            OR lnk.combined_command LIKE '% -e %JAB%'
            OR lnk.combined_command LIKE '% -e %SUVYI%'
            OR lnk.combined_command LIKE '% -e %SQBFAFgA%'
            OR lnk.combined_command LIKE '% -e %aWV4I%'
            OR lnk.combined_command LIKE '% -e %aQBlAHgA%'
            OR lnk.combined_command LIKE '%start /b%'
            OR lnk.combined_command LIKE '%start \b%'
            OR lnk.combined_command LIKE '%.downloadstring(%'
            OR lnk.combined_command LIKE '%.downloadfile(%'
            OR lnk.combined_command LIKE '%iex %'
        THEN 1 ELSE 0
    END AS suspicious_arguments_flag,
    CASE
        WHEN lnk.combined_command LIKE '%http://%'
            OR lnk.combined_command LIKE '%https://%'
            OR lnk.combined_command LIKE '%ftp://%'
            OR lnk.combined_command LIKE '%ftps://%'
        THEN 1 ELSE 0
    END AS http_download_flag,
    CASE
        WHEN lnk.combined_command LIKE '% \\\\%'
            OR lnk.shortcut_start_in LIKE '\\\\%'
        THEN 1 ELSE 0
    END AS unc_path_flag,
    CASE
        WHEN LENGTH(lnk.shortcut_comment) > 250
        THEN 1 ELSE 0
    END AS large_arguments_flag
FROM lnk_files lnk
LEFT JOIN hash h ON lnk.path = h.path
LEFT JOIN shellbags sb ON sb.path = lnk.shortcut_start_in
WHERE (
    lnk.size > 20000
    OR lnk.directory LIKE '%\Startup%'
    OR lnk.shortcut_target_path LIKE '%\cmd.exe'
    OR lnk.shortcut_target_path LIKE '%\powershell.exe'
    OR lnk.shortcut_target_path LIKE '%\cscript.exe'
    OR lnk.shortcut_target_path LIKE '%\wscript.exe'
    OR lnk.shortcut_target_path LIKE '%\rundll32.exe'
    OR lnk.shortcut_target_path LIKE '%\regsvr32.exe'
    OR lnk.shortcut_target_path LIKE '%\mshta.exe'
    OR lnk.shortcut_target_path LIKE '%\wmic.exe'
    OR lnk.shortcut_target_path LIKE '%\conhost.exe'
    OR lnk.combined_command LIKE '%\AppData\%'
    OR lnk.combined_command LIKE '%\Users\Public\%'
    OR lnk.combined_command LIKE '%\Temp\%'
    OR lnk.combined_command LIKE '%comspec%'
    OR lnk.combined_command LIKE '%&cd&echo%'
    OR lnk.combined_command LIKE '% -NoP %'
    OR lnk.combined_command LIKE '% -W Hidden %'
    OR lnk.combined_command LIKE '% -decode %'
    OR lnk.combined_command LIKE '% /decode %'
    OR lnk.combined_command LIKE '% -e %JAB%'
    OR lnk.combined_command LIKE '% -e %SUVYI%'
    OR lnk.combined_command LIKE '% -e %SQBFAFgA%'
    OR lnk.combined_command LIKE '% -e %aWV4I%'
    OR lnk.combined_command LIKE '% -e %aQBlAHgA%'
    OR lnk.combined_command LIKE '%start /b%'
    OR lnk.combined_command LIKE '%start \b%'
    OR lnk.combined_command LIKE '%.downloadstring(%'
    OR lnk.combined_command LIKE '%.downloadfile(%'
    OR lnk.combined_command LIKE '%iex %'
    OR lnk.combined_command LIKE '%http://%'
    OR lnk.combined_command LIKE '%https://%'
    OR lnk.combined_command LIKE '%ftp://%'
    OR lnk.combined_command LIKE '%ftps://%'
    OR lnk.combined_command LIKE '% \\\\%'
    OR lnk.shortcut_start_in LIKE '\\\\%'
    OR LENGTH(lnk.shortcut_comment) > 250
)
AND (
    lnk.directory LIKE '%\Startup%'
    OR (
        lnk.filename NOT LIKE 'Excel.lnk'
        AND lnk.filename NOT LIKE 'Word.lnk'
        AND lnk.filename NOT LIKE 'PowerPoint.lnk'
        AND lnk.filename NOT LIKE 'Outlook.lnk'
        AND lnk.filename NOT LIKE 'OneNote.lnk'
        AND lnk.filename NOT LIKE 'Windows Media Player.lnk'
        AND lnk.filename NOT LIKE 'Windows Explorer.lnk'
        AND lnk.filename NOT LIKE 'Internet Explorer.lnk'
    )
)
ORDER BY
    CASE WHEN lnk.directory LIKE '%\Startup%' THEN 1 ELSE 2 END,
    CASE
        WHEN lnk.shortcut_target_path LIKE '%\cmd.exe'
            OR lnk.shortcut_target_path LIKE '%\powershell.exe'
            OR lnk.shortcut_target_path LIKE '%\cscript.exe'
            OR lnk.shortcut_target_path LIKE '%\wscript.exe'
            OR lnk.shortcut_target_path LIKE '%\rundll32.exe'
            OR lnk.shortcut_target_path LIKE '%\regsvr32.exe'
            OR lnk.shortcut_target_path LIKE '%\mshta.exe'
            OR lnk.shortcut_target_path LIKE '%\wmic.exe'
            OR lnk.shortcut_target_path LIKE '%\conhost.exe'
        THEN 1 ELSE 2
    END,
    lnk.mtime DESC;

MITRE ATT&CK Coverage

• T1547.001 - Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1204.002 - Execution: User Execution: Malicious File
• T1021 - Lateral Movement: Remote Services
• T1059.001 - Execution: Command and Scripting Interpreter: PowerShell
• T1059.003 - Execution: Command and Scripting Interpreter: Windows Command Shell
• T1105 - Command and Control: Ingress Tool Transfer

Tags

forensics, persistence, lateral-movement, user-activity, file-analysis, malware-detection, command-and-control

---

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 4bf83d1