Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Modifying .lnk Shortcuts
This is a quick lab showing how .lnk (shortcut files) can be used for persistence.

Say, there's a shortcut on the compromised system for a program HxD64 as shown below:
. That shortcut can be hijacked and used for persistence. Let's change the shortcut's target to this simple powershell:
powershell.exe -c "invoke-item \\VBOXSVR\Tools\HxD\HxD64.exe; invoke-item c:\windows\system32\calc.exe"
It will launch the HxD64, but will also launch a program of our choice - a calc.exe in this case. Notice how the shortcut icon changed to powershell - that is expected:
We can change it back by clicking "Change Icon" and specifying the original .exe of HxD64.exe:
The original icon is now back:

Below shows the hijack demo in action:
In the above gif, we can see the black cmd prompt for a brief moment, however, it can be easily be hidden by changing the Run option of the shortcut to Minimized:
Running the demo again with the Run: Minimized shows the black prompt went away:
Note that hovering the shortcut reveals that the program to be launched is the powershell.

Boot or Logon Autostart Execution: Shortcut Modification, Sub-technique T1547.009 - Enterprise | MITRE ATT&CK®
Previous
Persisting in svchost.exe with a Service DLL
Next
Screensaver Hijack
Last modified 2yr ago
Copy link
On this page
Execution
Demo
Reference