LNK Stomping: Attackers Bypass Windows Security by Stripping the ‘Mark of the Web’
Ddos 
Executing the lnk file using the LNK Stomping attack technique
Windows shortcut files (.LNK) were designed to simplify user navigation, but for years, theyβve been a favorite tool in the attackerβs arsenal. With Microsoft tightening macro-blocking policies in 2022, adversaries increasingly shifted toward alternative formats like ISO, RAR, and especially LNK files to deliver malicious payloads.
According to AhnLab researchers, βLNK files are commonly distributed via email attachments or embedded within compressed archives. When executed, they often invoke trusted system utilities like PowerShell, cmd.exe, or mshta.exe, making the payload execution appear as legitimate system activity.β
A particularly insidious technique known as LNK Stomping was disclosed in 2024 by Elastic Security Labs and later detailed in AhnLabβs research. The vulnerability, tracked as CVE-2024-38217, abuses Windows Explorerβs path normalization process to bypass the Mark of the Web (MoTW), a crucial safeguard that labels files downloaded from the Internet.
As the report explains, βLNK Stomping is an attack that manipulates the actual execution program path of a Windows shortcut file (.lnk) with an abnormal target path or internal structure. It then prompts explorer.exe to remove the MoTW metadata during the βnormalization (Canonicalization)β process, thereby bypassing security checks.β
This means that a malicious LNK file, once clicked, can shed its warning label before SmartScreen or Smart App Control (SAC) policies even have the chance to intervene.
AhnLab identifies several abnormal structures attackers can use:
- PathSegment Type β embedding the entire path in a single IDList array, creating structural errors.
- Dot Type β appending a period (.) or space at the end of the target path to break normal validation.
- Relative Type β referencing only the file name rather than a proper path.
When tested under Windows 10 with SAC and SmartScreen enabled, the difference was striking. βFirst, when an LNK file without the LNK Stomping is executed, the file is blocked from being executed according to the SAC policy due to MoTW. However, when an LNK file with the LNK Stomping is used under the same conditions, the intended behavior is executed without being blocked.β
Although no single threat group has been officially linked to CVE-2024-38217, public samples suggest that attackers have been experimenting with this technique for years. Joe Desimone of Elastic Security Labs identified multiple samples exhibiting LNK Stomping patterns on VirusTotal. Notably, the oldest submission dates back six years (as of August 6, 2024).
The vulnerabilityβs addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 10, 2024, confirms that it is being used in the wild, with Rapid7 and other security firms warning about its active abuse.
AhnLab concludes: βAttacks abusing LNK files have become a persistent threat rather than a one-time trend. Techniques like LNK Stomping demonstrate how adversaries continue to refine evasion methods to bypass modern security controls.β
Related Posts:
- Muti vulnerabilities (Remote Code Execution) exist on Spring
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
- Stealthy REMCOS Backdoor Delivered by LNK Files: Bypasses Antivirus with Multi-Stage PowerShell Attack
- Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
