Shortcut Modification

Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

Example:

LNK they are shortcut files that point to a binary or file which can be accessed directly without having to find the location of the file from various directories such as TXT Files.

It's very simple to create and have the shortcut point to our payload or command to execute.

Right Click

We fill in the command to get executed or we point it to our payload that we can use to establish persistence.

And save it

We see that when double clicked it will spawn cmd but will open the calculator applications

We can also point to one of our payloads. And we can also change the icon so it doesn't look like your typical binary Icon being executed a little social engineering to trick our user.

Once double clicked we receive a shell

This technique will establish persistence at the current user level permissions running it.

A great little trick but this will easily be found by our SOC. So just in handy to know that this is available.

Note LNK can also be created with PowerShell in case of no GUI available

This technique can also be applied to already existing LNK files such as Google Chrome, Firefox, Edge, etc. As long as these are Shortcut links they can be easily modified as well to have them point to our payload.

Unfortunately I am not aware on how to change the Icon from PS.