DET0405 Detection Strategy for LNK Icon Smuggling

Item	Value
ID	DET0405
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1027.012 (LNK Icon Smuggling)

Analytics

Windows

AN1134

Correlates LNK file execution with embedded resource extraction or suspicious network activity following initial launch, often leading to payload delivery via disguised icons.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Metadata (DC0059)	WinEventLog:Sysmon	EventCode=15
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
ParentProcessName	Can be tuned to focus on common launcher processes like explorer.exe or winword.exe.
DestinationIP	Filtered to exclude known good domains and internal IPs to reduce false positives.
TimeWindow	Time between LNK execution and subsequent suspicious activity may vary based on adversary delay.
FileExtension	Could be used to focus on .lnk files only or track associated dropped payloads like .dat, .exe, etc.