Attackers Bypass Windows “Mark of the Web” Protections Using LNK-Stomping

A sophisticated attack technique called LNK Stomping is enabling cybercriminals to bypass Windows security protections designed to block malicious files downloaded from the internet.

The technique exploits a vulnerability in Windows shortcuts that was patched in September 2024 as CVE-2024-38217.

Windows shortcuts, known as LNK files, have become increasingly popular attack vectors since Microsoft strengthened macro blocking policies in 2022.

Attackers typically distribute these malicious shortcuts through email attachments or compressed files, disguising them as legitimate documents.

When executed, LNK files invoke trusted system tools like PowerShell, cmd.exe, or mshta.exe, making malicious activity appear as normal system processes.

To combat such attacks, Windows implements Mark of the Web (MoTW) protections. This security feature attaches metadata to files downloaded from the internet, creating an NTFS Alternate Data Stream called Zone.Identifier.

Windows security tools like SmartScreen and Smart App Control use this metadata to perform reputation checks and warn users about potentially dangerous files.

How LNK Stomping Works

LNK Stomping, first disclosed by Elastic Security Labs in 2024, exploits Windows Explorer’s path normalization process to remove MoTW metadata.

The attack manipulates the internal structure of LNK files by creating non-standard target paths that cause Explorer to incorrectly process the shortcut.

When users click on a maliciously crafted LNK file, Explorer detects the abnormal path structure and attempts to normalize it by resaving the shortcut.

During this canonicalization process, the system fails to preserve the MoTW metadata, effectively removing the security label before any reputation checks occur.

The technique uses three primary methods to create structural errors: PathSegment type manipulation places entire file paths in single array elements, Dot type adds periods or spaces to execution paths, and Relative type uses only filenames instead of full paths.

Security researchers successfully demonstrated LNK Stomping bypassing Windows 10 security controls.

In controlled testing, malicious LNK files without the technique were properly blocked by Smart App Control, while those employing LNK Stomping executed without any security warnings.

The vulnerability’s significance became apparent when CISA added CVE-2024-38217 to its Known Exploited Vulnerabilities list on September 10, 2024, confirming active exploitation in the wild.

Joe Desimone from Elastic Security Labs discovered numerous LNK Stomping samples on VirusTotal, with the oldest submissions dating back six years, suggesting long-term underground use of this technique.

Currently, no specific threat groups have been officially attributed to exploiting this vulnerability.

However, the CISA KEV listing indicates that attackers have been actively using LNK Stomping techniques, making it a persistent rather than theoretical threat.

Organizations should ensure systems are updated with the September 2024 security patches and implement behavior-based detection rules to identify suspicious LNK file activity, as traditional signature-based protections may struggle against these evasion techniques.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.