Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1134: Analytic 1134

Correlates LNK file execution with embedded resource extraction or suspicious network activity following initial launch, often leading to payload delivery via disguised icons.

EnterpriseAN1134AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 1134 is a Windows-focused detection analytic for cases where a shortcut file (LNK) is launched and is followed by embedded resource extraction or suspicious network activity. For leaders, the practical value is that shortcut-based launches can look like normal user activity unless SOC teams correlate the initial LNK execution with what happens next. This matters for reducing dwell time around user-driven payload delivery paths and for validating whether endpoint and network telemetry can connect the first click to follow-on behavior.

Executive priority

Treat this as a coverage-validation item for Windows endpoint monitoring and incident triage readiness. The business question is not simply whether LNK files are seen, but whether the security program can prove when an apparently routine shortcut launch leads to resource extraction or outbound network behavior. This can support better incident decision-making, audit evidence for monitoring controls, and prioritization of endpoint/network logging investments.

Technical view

For SOC and detection engineering teams, validate correlation logic that links Windows LNK execution to subsequent extraction of embedded resources or suspicious network activity after initial launch. Because ATT&CK does not provide a detection implementation or tactic mapping for this analytic, teams should define local timing windows, parent/child process expectations, file-system indicators of extracted content, and network criteria that distinguish suspicious follow-on activity from normal shortcut use. Incident responders should ensure investigations preserve the LNK artifact, related process lineage, extracted files if present, and associated network connections.

Likely telemetry

  • Windows endpoint process execution and parent/child process lineage
  • File creation or modification events related to extracted resources or payload-like artifacts
  • LNK file metadata and execution context where available
  • Endpoint-to-network connection logs following the initial LNK launch
  • DNS, proxy, firewall, or EDR network telemetry associated with the launching process

Detection direction

  • Validate that telemetry can correlate an LNK launch with near-term file extraction and/or network activity rather than alerting on LNK presence alone.
  • Tune timing windows and process lineage rules to reduce noise from legitimate shortcuts, installers, and enterprise software launchers.
  • Review whether disguised icons or misleading shortcut presentation are visible in available forensic artifacts, but avoid relying on visual appearance alone.
  • Create triage guidance for analysts to capture the shortcut file, command context, extracted resources, and outbound destinations.
  • Account for the documented limitation that no official detection logic, tactics, or relationship context is supplied for this analytic.

Mitigation priorities

  • Prioritize endpoint logging that preserves process lineage, file creation, and network activity on Windows systems.
  • Harden user-facing controls and security awareness around untrusted shortcut files where appropriate to the environment.
  • Use endpoint protection and policy controls to scrutinize shortcut-driven launches that create files or initiate unexpected network sessions.
  • Ensure incident response playbooks include collection and analysis of LNK artifacts and follow-on payload or network evidence.
  • Periodically test SOC visibility with benign simulations that validate correlation from shortcut execution through subsequent activity.
Analyst notes and limits

The supplied object is a detection analytic, not an ATT&CK technique. It describes a correlation pattern for Windows involving LNK execution followed by embedded resource extraction or suspicious network activity. No tactics, detection text, aliases, labels, or relationships were supplied, so the take is intentionally focused on coverage validation and telemetry requirements rather than attribution, exploit prevalence, or specific adversary procedures.

This assessment is limited to the official STIX fields, the MITRE external reference, and the absence of supplied relationships. It does not establish active exploitation, business exposure, specific malware families, guaranteed detection, or applicability beyond Windows. Local log availability, EDR behavior, network architecture, and user workflows are required to determine actual coverage and false-positive rates.

Official MITRE ATT&CK definition

Analytic 1134

Correlates LNK file execution with embedded resource extraction or suspicious network activity following initial launch, often leading to payload delivery via disguised icons.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7c5a0d11a645e097...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7c5a0d11a645…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1134
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use