Following the LNK metadata trail

• Adversaries’ shift toward Shell Link (LNK) files, likely sparked by Microsoft’s decision to block macros, provides the opportunity to capitalize on information that can be provided by LNK metadata.


• Cisco Talos analyzed metadata in LNK files and correlated it with threat actors tactics techniques and procedures, to identify and track threat actor activity. This report outlines our research on Qakbot and Gamaredon as examples.


• Talos also used LNK file metadata to identify relationships among different threat actors. In this report …

actor adversaries block cisco cisco talos decision files gamaredon identify information link lnk lnk file macros metadata microsoft opportunity procedures qakbot relationships report research shell tactics tactics techniques and procedures talos techniques techniques and procedures threat threat actor threat actors