ShortCut Modification

ID: T1023 Tactic: Persistence

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

Previously on Rundll32. I demonstrated an attack where we can edit a shortcut link and execute a powershell one-liner to call back a reverse shell and execute code.

In these examples, I wont get much into details as the general idea is there all it takes now is to find more advanced and well written articles that explain more into this attack.

I will create a Simple Shortcut Link that will execute a payload in Disk my modifying an already existing Shortcut.

I have a test.bat file that when executed it will call simple enumeration commands, net user, whoami, systeminfo

Its original location is at Documents folder and it executes fine.

Let's edit the Shortcut so it calls a shell and not the "test.bat" file, and as you can see the moment the Path changes it quickly edit's our Icon, we can simply edit this back to a bat icon, to look more legitimate to the original file.

And with that we get No Warnings, No Pop-ups, No UAC it will simply run any file attached.

There are plenty more that can be done, but it's an incredible subject and long to work with, these are basic examples and now we at least understand what can be applied with this attack.

Last updated