Windows.Applications.LECmd :: Velociraptor

Windows.Applications.LECmd
Execute Eric Zimmerman’s LECmd and return output for analysis. Created using @eduardfir SBECmd VQL as a quide.
LECmd is a CLI tool for analyzing lnk data. Learn more - https://github.com/EricZimmerman/LECmd

name: Windows.Applications.LECmd
description: |
    Execute Eric Zimmerman's LECmd and return output for analysis.
    Created using @eduardfir SBECmd VQL as a quide.  
    LECmd is a CLI tool for analyzing lnk data. Learn more - https://github.com/EricZimmerman/LECmd

author: Carlos Cajigas @carlos_cajigas. Modified by Zach K. https://www.linkedin.com/in/zach-kal on 2026-02-10 to address 404-url and csv parsing issues.

type: CLIENT

tools:
  - name: LECmd
    url: https://download.ericzimmermanstools.com/LECmd.zip
    version: 1.5.1
    
parameters:
  - name: sourceFile
    default: .
    type: regex
    description: "RegEx pattern for the name or path of the lnk file. Example 'recent' folder"
  - name: localPath
    default: .
    type: regex
    description: "RegEx pattern for the name or path of the target of the lnk file. Example 'cmd.exe'"
  - name: arguments
    default: .
    type: regex
    description: "Arguments of the lnk file. Example '/c powershell Invoke-Command'"
  - name: dateAfter
    description: "search for lnk files with a SourceCreated after this date. YYYY-MM-DD"
  - name: dateBefore
    description: "search for lnk files with a SourceCreated before this date. YYYY-MM-DD"

precondition: SELECT OS From info() where OS = 'windows'

sources:
  - query: |
      -- get context on target binary
      LET lecmdpackage <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
                    ToolName="LECmd", IsExecutable=FALSE)

      -- build tempfolder for output
      LET tmpdir <= tempdir()
      
      -- decompress utility
      LET payload = SELECT * 
        FROM unzip(filename=lecmdpackage[0].FullPath,
            output_directory=tmpdir)
      
      -- execute payload
      LET deploy <= SELECT * 
        FROM execve(argv=[payload.NewPath[0], 
        "-d", 
        "c:/", 
        "--csv", 
        tmpdir, 
        "--csvf", 
        "results.csv"])
      
      -- find the actual CSV file created
      LET csvfile <= SELECT OSPath FROM glob(globs="results*.csv", root=tmpdir) LIMIT 1
      
      -- parse csv
      SELECT SourceFile, LocalPath, Arguments, SourceCreated, 
        SourceModified, WorkingDirectory, RelativePath, 
        TargetCreated, TargetModified, DriveType, VolumeLabel
      FROM parse_csv(filename=csvfile.OSPath[0])
      WHERE 
        (if(condition=dateAfter, then=SourceCreated > dateAfter,
            else=TRUE) AND 
        if(condition=dateBefore, then=SourceCreated < dateBefore, 
            else=TRUE))
      AND SourceFile =~ sourceFile
      AND LocalPath =~ localPath
      AND Arguments =~ arguments