Home windows Incident Response: A Minimal LNK

By  |  0 Comments
Related Products
Yeah, so I’ve written about LNK information earlier than, however I needed to take it a step additional and discover simply how a lot of the specification is required for a functioning LNK file.

Step 1
I used VBS to create a “bare-bones” LNK to run calc.exe.  I prefer to have one thing visible when testing this type of factor.

The ensuing LNK file is 890 bytes in measurement, and here is what the metadata for the file appears to be like like:

guid               
mtime              Wed Apr 11 23:34:36 2018 Z
atime              Wed Apr 11 23:34:36 2018 Z
ctime              Wed Apr 11 23:34:36 2018 Z
basepath           C:WindowsSystem32calc.exe
shitemidlist       My Pc/C:/Home windows/System32/calc.exe
**Shell Objects Particulars (occasions in UTC)**
  C:2018-04-11 21:04:34  M:2018-10-11 21:39:08  A:2018-10-11 21:39:08 Home windows (9)
  C:2018-04-11 21:04:34  M:2018-12-20 22:46:22  A:2018-12-20 22:46:22 System32 (9)
  C:2018-04-11 23:34:38  M:2018-04-11 23:34:38  A:2018-04-11 23:34:38 calc.exe (9)
vol_sn              22D3-06AE
vol_type           Fastened Disk
hotkey              0x14
showcmd          0x4


***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasRelativePath


***PropertyStoreDataBlock***
GUID/ID pairs:
446d16b1-8dad-4870-a748-402ea43d788c/104
46588ae2-4cbc-4338-bbfc-139326986dce/four       SID: S-1-5-21-3855314428-4085452759-4066589348-1000


***KnownFolderDataBlock***
GUID  :
Folder: CSIDL_SYSTEM


***TrackerDataBlock***
Machine ID                   : enzo
New Droid ID Time        : Tue Sep 18 10:39:24 2018 UTC
New Droid ID Seq Num  : 7175
New Droid    Node ID     : 5c:26:0a:24:29:6f
Beginning Droid ID Time       : Tue Sep 18 10:39:24 2018 UTC
Beginning Droid ID Seq Num : 7175
Beginning Droid Node ID       : 5c:26:0a:24:29:6f

Okay, that may be a LOT of stuff that is created in an LNK file, based mostly on the next .vbs script:

set w = CreateObject(“Wscript.shell”)
set l = w.CreateShortcut(“foo2.lnk”)
l.TargetPath = “c:windowssystem32calc.exe”
l.Save

Step 2
Write code that creates a bare-bones LNK file header.  By “bare-bones”, I imply one with the time stamps and any extraneous metadata zero’d out.

Step three
Write code that goes to the LNK file created in step 1, and strips out simply the linktargetIDlist, or “shell merchandise ID listing”.  Zero out all the time stamps within the shell gadgets, and only for giggles, change the model worth throughout the shell gadgets.  Append this linktargetIDlist to the header created in step 2.

The ensuing LNK file seems beneath:









The LNK file is 389 bytes in measurement, and capabilities completely nicely, irrespective of the place I put it throughout the file system.  I double-click it, it launches the Calculator, as anticipated. 


Nevertheless, that is what the metadata now appears to be like like:


guid               
shitemidlist       My Pc/C:/Home windows/System32 /calc.exe
**Shell Objects Particulars (occasions in UTC)**
  C:zero                   M:zero                   A:zero                  Home windows (10)
  C:zero                   M:zero                   A:zero                  System32  (10)
  C:zero                   M:zero                   A:zero                  calc.exe  (10)
hotkey             0x0
showcmd         0x1


***LinkFlags***
HasLinkTargetIDList|IsUnicode

The results of this course of is a functioning LNK file with minimal metadata.  No disk or quantity data, no SID, no MAC deal with, not one of the issues we might search for when analyzing a weaponized LNK file.

I put a few of what was used within the creation of those LNK information on GitHub.

Unknown

happywheels
Related Items

You must be logged in to post a comment Login

Leave a Reply