LNK File Forensics: Pivot Targets and Remote Host Artifacts

Cybersecurity

Windows Shell Link files record volume serial numbers, NetBIOS names, and MAC addresses of remote hosts where files were accessed. A single LNK file can name a pivot target the attacker never intended to leave behind.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 21, 2024 · 8 min read

Windows Shell Link files (.lnk) are automatically created by the Windows Shell whenever a user opens a file from a remote share, a USB drive, or any location other than the local volume. They are stored under C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and in application-specific jump list folders. From a DFIR perspective, their value lies not in what they link to, but in the metadata they embed about the source host and volume.

LNK Internal Structure

A Shell Link binary file (documented in Microsoft's [MS-SHLLINK] specification) consists of a ShellLinkHeader, an optional LinkTargetIDList, an optional LinkInfo block, StringData, and ExtraData. The LinkInfo block is where the forensic gold is buried. It contains a VolumeID structure (including volume type, volume serial number, and volume label) and a LocalBasePath or NetworkShareName depending on whether the target was local or remote.

• VolumeSerialNumber: 32-bit identifier unique to the target volume, persists after reformatting only if explicitly changed
• NetBIOS name: the hostname of the remote machine from which the file was accessed
• MAC address: stored in the SpecialFolderDataBlock or TrackerDataBlock as part of the Darwin/Tracker extension
• Target file size: size of the linked file at the time the LNK was created
• Target timestamps: Modified, Accessed, and Created times of the linked file at LNK creation time

Extracting Remote Host Identifiers

The TrackerDataBlock (ExtraData with signature 0xA0000003) contains two sets of distributed link tracking data: one for the local machine that created the LNK and one for the machine where the target file lives. Each set includes a machine ID (NetBIOS name, truncated to 16 characters) and a machine GUID recorded as a DROID (Distributed and Remote Object Identifier). In spearphishing investigations, this reveals which workstation the attacker opened the decoy document from.

1. Collect Recent\ and Jump Lists directories using KAPE (JumpLists and LNKFiles targets)
2. Parse with LECmd.exe: LECmd.exe -d C:\Users\victim\AppData\Roaming\Microsoft\Windows\Recent\ --csv C:\output\
3. Review the NetworkShareName column for UNC paths revealing target hostnames
4. Review the MachineID column in TrackerDataBlock for remote NetBIOS names
5. Correlate VolumeSerialNumber across multiple LNK files to confirm they point to the same target volume

Spearphishing Pivot Analysis

In a spearphishing scenario, the victim opens a malicious .docx delivered via email. The file is saved to Downloads. If the attacker's payload subsequently accesses files on a remote C2 share via a UNC path, the resulting LNK files on the victim machine will contain the share path and the C2 host's NetBIOS name. This is an unintended artifact of the Windows Shell's automatic LNK creation behavior.

Jump Lists as an Extension

Jump Lists (AutomaticDestinations and CustomDestinations files under AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\) are OLE Compound Document files containing embedded LNK entries for recently accessed files grouped by application AppID. Each embedded LNK retains the same TrackerDataBlock and LinkInfo structures. JLECmd.exe (Zimmermann) parses these and produces a CSV with the same remote host columns as LECmd.

• AutomaticDestinations: auto-populated by the Shell for recently opened files per application
• CustomDestinations: populated by applications explicitly pinning items to the taskbar
• AppID: 16-character hex identifier mapping the jump list to a specific application
• JLECmd.exe: parses both AutomaticDestinations and CustomDestinations, extracts embedded LNK metadata

Reconstructing Attacker File Access

Combine LECmd and JLECmd output in Timeline Explorer. Sort by TargetModified timestamp to see the sequence in which files were accessed. A burst of LNK creation events pointing to a network share within a narrow time window indicates automated file enumeration or staging activity, not a user manually browsing. Correlate these timestamps with USN Journal records on the same host to confirm which files were subsequently modified or deleted.

Every time Windows creates a shortcut automatically, it records a forensic breadcrumb about the source. Remote share paths, host names, and volume identifiers survive long after the attacker scrubs their tracks on the source machine.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.