Skip to content

Latest commit

 

History

History
53 lines (35 loc) · 2.85 KB

README.md

File metadata and controls

53 lines (35 loc) · 2.85 KB

PoSh LNK Script Exploit

Created by: Brad Voris
GitHub GitHub commit activity GitHub All Releases GitHub repo size GitHub language count GitHub issues GitHub top language

This isn't new and is continued to be leveraged by threat actors across the globe.
I'll demonstrate why LNK files should be blocked at the email level and if embedded in other files should be blocked by default.

We'll take a single line from an LNK file that executes PowerShell:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

We will add the following:
-NoExit
-NoExit Prevents the window from exiting once the commands have been run

-c
-c executes commands directly following the -c

Now we can add ANY powerShell that can fit in the 255 character limit.

In my sample code we count down from 1 to 5 writing dots to the screen on a single line and waiting a second inbetween them. When the command ends it writes to the host Formatting C Drive Complete!... (Some bad humor on my part.)

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -NoExit -c 1..5 | foreach { write-host "." -NoNewline; sleep -sec 1} -end {write-host "Formatting C Drive Complete!" }

Considering the 255 character limit its very easy to see how threat actors can use LNK files to auto-download a payload and execute. This is especially true with URL shorteners.

Inspiration for this project:
https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html?m=1
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

Connect with me at





Victim Of Technology

Cyber Forge Security, Inc.