attachment_lnk_file_with_embedded_content.yml

name: "Attachment: LNK with embedded content"
description: |
  Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.

  Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
references:
  - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/"
  - "https://www.x86matthew.com/view_post?id=embed_exe_lnk"
type: "rule"
authors:
  - twitter: "ajpc500"
severity: "high"
source: |
  type.inbound
  and (
    any(attachments,
        .file_extension == "lnk"
        and any(file.explode(.),
                .file_extension =~ "lnk"
                and any(.scan.exiftool.fields, (.key == "TargetFileSize" and .value == "0"))
                and any(.scan.exiftool.fields,
                        (
                          .key == "CommandLineArguments"
                          and strings.ilike(.value, "*findstr*", "*sc $path*", "*Set-Content*")
                        )
                )
        )
    )
  )
tags:
  - "Malfam: Emotet"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Exploit"
  - "LNK"
  - "Scripting"
detection_methods:
  - "Content analysis"
  - "Exif analysis"
  - "File analysis"
id: "41452f7a-c77d-5259-a5fb-91b1b4419364"