Skip to content

bvoris/PoShLNKScriptExploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PoSh LNK Script Exploit

Created by: Brad Voris
GitHub GitHub commit activity GitHub All Releases GitHub repo size GitHub language count GitHub issues GitHub top language

This isn't new and is continued to be leveraged by threat actors across the globe.
I'll demonstrate why LNK files should be blocked at the email level and if embedded in other files should be blocked by default.

We'll take a single line from an LNK file that executes PowerShell:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

We will add the following:
-NoExit
-NoExit Prevents the window from exiting once the commands have been run

-c
-c executes commands directly following the -c

Now we can add ANY powerShell that can fit in the 255 character limit.

In my sample code we count down from 1 to 5 writing dots to the screen on a single line and waiting a second inbetween them. When the command ends it writes to the host Formatting C Drive Complete!... (Some bad humor on my part.)

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -NoExit -c 1..5 | foreach { write-host "." -NoNewline; sleep -sec 1} -end {write-host "Formatting C Drive Complete!" }

Considering the 255 character limit its very easy to see how threat actors can use LNK files to auto-download a payload and execute. This is especially true with URL shorteners.

Inspiration for this project:
https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html?m=1
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

Connect with me at





Victim Of Technology

Cyber Forge Security, Inc.

About

No description or website provided.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published