Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0405: Detection Strategy for LNK Icon Smuggling

This detection strategy matters because it is tied to LNK Icon Smuggling, a Windows-focused stealth technique where shortcut metadata can be abused to help...

EnterpriseDET0405Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to LNK Icon Smuggling, a Windows-focused stealth technique where shortcut metadata can be abused to help malicious download activity pass content filters. For leaders, the practical issue is not the shortcut file itself; it is whether email, web, endpoint, and SOC processes can preserve and inspect enough shortcut metadata to recognize suspicious use before it becomes payload execution or a larger incident.

Executive priority

Prioritize this as a validation item for Windows endpoint and initial-access monitoring where shortcut files are common in user workflows. Ask whether controls inspect LNK metadata, whether SOC playbooks treat shortcut files as more than simple attachments, and whether incident responders can quickly determine if a shortcut attempted to retrieve external content. This supports operational resilience, audit evidence for monitoring coverage, and better prioritization of detections around stealthy content-filter bypass behavior.

Technical view

The ATT&CK detection strategy object itself does not provide official detection logic, platforms, or tactics. Its relationship context says it detects T1027.012, LNK Icon Smuggling, a Windows technique under stealth. SOC and detection engineering teams should therefore validate coverage around Windows shortcut files, especially metadata fields such as icon location/IconEnvironmentDataBlock, and correlate suspicious shortcut handling with external retrieval attempts and subsequent file or process activity. Treat this as a coverage assessment and tuning exercise rather than a ready-made analytic.

Likely telemetry

  • Windows endpoint file metadata for .LNK files, including shortcut target and icon location-related fields where available
  • Email and web gateway records involving delivery or download of .LNK files
  • Endpoint process creation and command-line telemetry following user interaction with shortcut files
  • Network or proxy logs showing outbound retrieval activity associated with endpoints that handled .LNK files
  • EDR or forensic artifacts preserving shortcut file contents, timestamps, and user context

Detection direction

  • Confirm whether security tooling parses LNK metadata rather than only file extension, filename, or hash.
  • Look for LNK files with unusual icon location references, especially paths or values associated with external retrieval behavior, while accounting for legitimate enterprise shortcuts.
  • Correlate shortcut creation, delivery, or user execution with outbound network activity and follow-on process/file creation on Windows systems.
  • Tune detections to reduce noise from standard software deployment, desktop management, and legitimate shortcut customization workflows.
  • Validate that email, web, endpoint, and SIEM pipelines retain enough original file and metadata detail for investigation; many environments lose this context during filtering or normalization.

Mitigation priorities

  • Start with visibility: ensure LNK attachments/downloads and shortcut metadata are retained or inspectable by endpoint, email, web, and SIEM tooling.
  • Harden user delivery paths by reviewing policies for shortcut files from untrusted sources and ensuring suspicious files are isolated for analysis.
  • Strengthen endpoint controls that monitor script, process, and network activity following shortcut interaction.
  • Update SOC triage playbooks to include LNK metadata review and correlation with outbound retrieval attempts.
  • Use incident response tabletop or detection validation exercises to test whether teams can reconstruct the shortcut source, user action, network destination, and follow-on activity.
Analyst notes and limits

The source object is a detection strategy with no official description or detection text. The usable ATT&CK context comes from its relationship to T1027.012, LNK Icon Smuggling, including the Windows platform and stealth tactic on the related technique. Recommendations are therefore framed as defensive validation priorities, not as MITRE-provided analytic logic.

Platforms and tactics are not specified on the detection strategy object itself, and no official detection guidance is supplied. Local telemetry availability, endpoint tooling, email/web filtering behavior, and legitimate shortcut usage patterns must determine final detection design and risk priority.

Official MITRE ATT&CK definition

Detection Strategy for LNK Icon Smuggling

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027.012 LNK Icon Smuggling Sub-technique This object detects LNK Icon Smuggling.
Relationship explorer

All related ATT&CK context

detects · Technique T1027.012: LNK Icon Smuggling Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fadacf7109f36048...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fadacf7109f3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0405
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use