creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-windows-lnk-files-for-artifacts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

88 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Analyzing Windows LNK Files for Artifacts
## LnkParse3
### Parse a Single LNK File
```python
import LnkParse3
with open("shortcut.lnk", "rb") as f:
lnk = LnkParse3.lnk_file(f)
info = lnk.get_json()
# Access header timestamps
header = info["header"]
print(header["creation_time"], header["modified_time"], header["accessed_time"])
# Access target path
link_info = info.get("link_info", {})
print(link_info.get("local_base_path"))
# Access volume info
vol = link_info.get("volume_id", {})
print(vol.get("drive_type"), vol.get("drive_serial_number"))
# Access tracker data (machine ID, MAC)
extra = info.get("extra", {})
tracker = extra.get("DISTRIBUTED_LINK_TRACKER_BLOCK", {})
print(tracker.get("machine_id"), tracker.get("mac_address"))
```
### LNK JSON Structure
```json
{
"header": {
"creation_time": "2024-01-15 14:32:00",
"modified_time": "2024-01-15 14:32:00",
"accessed_time": "2024-01-15 14:32:00",
"file_size": 45056
},
"link_info": {
"local_base_path": "E:\\Documents\\report.xlsx",
"volume_id": {
"drive_type": "DRIVE_REMOVABLE",
"drive_serial_number": "1234-ABCD",
"volume_label": "KINGSTON"
}
},
"string_data": {
"working_dir": "E:\\Documents",
"command_line_arguments": ""
},
"extra": {
"DISTRIBUTED_LINK_TRACKER_BLOCK": {
"machine_id": "DESKTOP-ABC123",
"mac_address": "AA:BB:CC:DD:EE:FF"
}
}
}
```
## Key LNK File Locations
| Location | Description |
|----------|-------------|
| `%APPDATA%\Microsoft\Windows\Recent\` | Recently accessed files |
| `%APPDATA%\...\Recent\AutomaticDestinations\` | Jump Lists |
| `%APPDATA%\...\Recent\CustomDestinations\` | Pinned Jump List items |
| `%USERPROFILE%\Desktop\` | Desktop shortcuts |
| `%APPDATA%\...\Startup\` | User startup (persistence) |
| `%PROGRAMDATA%\...\Startup\` | System startup (persistence) |
## Drive Types
| Value | Meaning |
|-------|---------|
| DRIVE_REMOVABLE | USB, SD card |
| DRIVE_FIXED | Internal HDD/SSD |
| DRIVE_REMOTE | Network share |
| DRIVE_CDROM | Optical media |
### References
- LnkParse3: https://pypi.org/project/LnkParse3/
- Shell Link Binary Format: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
- LECmd: https://github.com/EricZimmerman/LECmd
Reference in New Issue View Git Blame Copy Permalink