From 26a559bac6699565e4b0d4839211ed2a5e44a569 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Sun, 1 Feb 2026 11:19:53 +0100
Subject: [PATCH] feat(rules): Add Embedded script execution via shortcut file
 rule

Detects execution of embedded scripts delivered via Windows shortcut (.lnk) files. Adversaries can exploit the attack chain where a shortcut file is accessed by a scripting or command interpreter, followed by the creation of a payload in user-writable locations and the subsequent execution of a script.
---
 ...ded_script_execution_via_shortcut_file.yml | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 rules/execution_embedded_script_execution_via_shortcut_file.yml

diff --git a/rules/execution_embedded_script_execution_via_shortcut_file.yml b/rules/execution_embedded_script_execution_via_shortcut_file.yml
new file mode 100644
index 000000000..4821342d9
--- /dev/null
+++ b/rules/execution_embedded_script_execution_via_shortcut_file.yml
@@ -0,0 +1,61 @@
+name: Embedded script execution via shortcut file
+id: 2d94a68b-03fe-4ece-9a99-f4de8ff7261d
+version: 1.0.0
+description: |
+  Detects execution of embedded scripts delivered via Windows shortcut (.lnk) files.
+  Adversaries can exploit the attack chain where a shortcut file is accessed by a
+  scripting or command interpreter, followed by the creation of a payload in
+  user-writable locations and the subsequent execution of a script.
+labels:
+  tactic.id: TA0002
+  tactic.name: Execution
+  tactic.ref: https://attack.mitre.org/tactics/TA0002/
+  technique.id: T1204
+  technique.name: User Execution
+  technique.ref: https://attack.mitre.org/techniques/T1204/
+  subtechnique.id: T1204.002
+  subtechnique.name: Malicious File
+  subtechnique.ref: https://attack.mitre.org/techniques/T1204/002/
+references:
+  - https://unit42.paloaltonetworks.com/lnk-malware/
+  - https://github.com/knight0x07/Lnk2Vbs/blob/main/lnk2vbs.py
+
+condition: >
+  sequence
+  maxspan 1m
+  by ps.sessionid
+    |open_file and
+     ps.name iin ('cmd.exe', 'findstr.exe', 'find.exe', 'powershell.exe', 'pwsh.exe') and
+     file.path imatches '?:\\*.lnk'
+    |
+    |create_file and
+     ps.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe') and
+     file.path imatches
+              (
+                '?:\\Users\\*\\AppData\\Local\\*',
+                '?:\\Users\\*\\AppData\\LocalLow\\*',
+                '?:\\Users\\*\\AppData\\Roaming\\*',
+                '?:\\Users\\Public\\*'
+              )
+    |
+    |spawn_process and
+     ps.name iin
+              (
+                'wscript.exe',
+                'mshta.exe',
+                'powershell.exe',
+                'pwsh.exe',
+                'cmd.exe',
+                'connhost.exe',
+                'rundll32.exe',
+                'forfiles.exe',
+                'wmic.exe',
+                'msbuild.exe'
+              )
+    |
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0