📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Persistence

ShortCut Modification

ID: T1023 Tactic: Persistence

PreviousRegistry Keys / StartUp FolderNextPrivesc

Last updated 5 years ago

Was this helpful?

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

Previously on . I demonstrated an attack where we can edit a shortcut link and execute a powershell one-liner to call back a reverse shell and execute code.

In these examples, I wont get much into details as the general idea is there all it takes now is to find more advanced and well written articles that explain more into this attack.

I will create a Simple Shortcut Link that will execute a payload in Disk my modifying an already existing Shortcut.

I have a test.bat file that when executed it will call simple enumeration commands, net user, whoami, systeminfo

Its original location is at Documents folder and it executes fine.

Let's edit the Shortcut so it calls a shell and not the "test.bat" file, and as you can see the moment the Path changes it quickly edit's our Icon, we can simply edit this back to a bat icon, to look more legitimate to the original file.

And with that we get No Warnings, No Pop-ups, No UAC it will simply run any file attached.

There are plenty more that can be done, but it's an incredible subject and long to work with, these are basic examples and now we at least understand what can be applied with this attack.

Rundll32