Suspicious LNK Command-Line Padding with Whitespace Characters

Rule Info

Name
Suspicious LNK Command-Line Padding with Whitespace Characters
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.
Reference
https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
Date
2025-03-19 00:00:00
Modified
None
Id
dd8756e7-a3a0-4768-b47e-8f545d1a751c
Tags
attack.initial-access attack.execution attack.t1204.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=dd8756e7-a3a0-4768-b47e-8f545d1a751c

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5240 from @swachchhanda000 - Add `Suspicious LNK Command-Line Padding with Whitespace Characters`
2025-04-17
6143a2238
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022