A sophisticated technique, called LNK Stomping, abuses how Windows handles shortcut files to bypass the Mark of the Web, or MoTW, security control. Tracked as CVE-2024-38217 and patched on September 10, 2024, the vulnerability allows attackers to craft malicious LNK files that force Windows Explorer to normalize paths, accidentally strip the Zone.Identifier NTFS alternate data stream that contains MoTW metadata, and execute payloads without triggering SmartScreen or Smart App Control. CISA has added this CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation
How LNK Stomping Works, technical overview
LNK files use a complex binary structure, including a LinkTarget IDList that stores Shell Item IDs, which represent the hierarchical path to a target inside the Windows Shell namespace. Attackers craft non-standard IDList structures that cause explorer.exe to run canonicalization, or normalization, routines. During that normalization, the original LNK can be overwritten and the Zone.Identifier ADS, which stores MoTW data, can be removed before security checks run, allowing payloads to execute without being treated as untrusted.
Three main manipulation techniques have been observed, PathSegment type attacks, where an entire file path is placed inside a single IDList element instead of segmented components, Dot type attacks, which append periods or spaces to target paths, and Relative type attacks, which use only filenames without full path specifications. Each approach creates structural inconsistencies that trigger the normalization behavior exploited by the attack.
Exploitation details and timeline
Security researchers at Elastic Security Labs located numerous LNK Stomping samples on VirusTotal, with some submissions dating back six years, suggesting real-world use long before public disclosure. Attackers often distribute weaponized LNK files in emails, compressed archives such as RAR, or in ISO images, especially after Microsoft tightened macro usage policies in 2022, which pushed threat actors to alternative initial access vectors.
When a victim double-clicks a malicious LNK, the file may invoke trusted Windows utilities, which helps malicious activity blend with legitimate system behavior. Because the technique exploits native file handling and explorer behavior, traditional signature-based detection often fails, and behavioral, format-level detection is needed.
Impact on defensive controls
LNK Stomping can bypass SmartScreen and Smart App Control, because MoTW metadata that flags files as downloaded from the internet can be stripped before those controls evaluate the payload. This makes it harder for endpoint protections and email gateways to flag or quarantine malicious files, and increases the risk of successful initial access and follow-on actions by attackers.
Detection and mitigation recommendations, practical steps for defenders
- Apply vendor patches, verify systems were updated for CVE-2024-38217, and confirm September 10, 2024 patches are deployed across endpoints.
- Monitor explorer.exe activity and unusual LNK file creations or modifications, especially LNK files that reference atypical or non-canonical path structures.
- Use behavior-based detection that looks for canonicalization and ADS removal patterns, rather than relying solely on static signatures.
- Restrict user ability to run files from removable media or temporary directories, enforce least privilege, and apply application control policies.
- Train users to treat unexpected LNK files in emails or archives as suspicious, and to verify attachments through secondary channels.
- Inspect archives and ISO images delivered by email or downloads, using sandboxing and static analysis to detect malformed LNK structures.
- Include LNK parsing and format-fuzzing in threat-hunting playbooks, and add detection rules for PathSegment, Dot, and Relative manipulation patterns.
Conclusion
LNK Stomping exposes a format-level weakness in Windows shortcut handling that attackers can weaponize to evade MoTW, SmartScreen, and Smart App Control, increasing the difficulty of detection. Because this technique leverages legitimate system behavior, defenders should prioritize patching, behavioral monitoring, and format-aware detection strategies, to close this vector and reduce successful exploitation.
