In a good post on SANS ISC InfoSec Forum, Jan Kopriva shows how windows explorer shell links could be used by an attacker in order to download malicious payloads.

Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number [2] of vulnerabilities were identified in handling of LNKs.

In the article [1], Kopriva further explains how ax external icon in .LNK file may be used in order to starts a connection to an untrusted host in order to capture hashes/use the requests for SMB relay attack:

It has been known for some time [3] that even on fully patched systems, Windows still handles Shell Link files with externally loaded icons in an interesting (and quite unsafe) way. Specifically, the OS won’t just load external icon files from local drives, but it will try to do so from remote paths specified in a UNC format as well. What is less known is that the OS will try to do the same even for paths specified as URLs. This means that every time Windows tries to load the icon (it will do so when the LNK file is displayed by File Explorer), a remote connection will be initiated by it to a remote machine and if the icon specified by the UNC or URL path exists, it will be downloaded and displayed.

I recommend you to read the whole article [1], it's really useful.


  1. Using Shell Links as zero-touch downloaders and to initiate network connections
  3. You down with LNK? | Trustwave | SpiderLabs | Trustwave