> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts.md).

# Modifying .lnk Shortcuts

This is a quick lab showing how .lnk (shortcut files) can be used for persistence.

## Execution

Say, there's a shortcut on the compromised system for a program HxD64 as shown below:

![](/files/-LyybGpvL3fPqbJ-xNeu)

. That shortcut can be hijacked and used for persistence. Let's change the shortcut's target to this simple powershell:

```csharp
powershell.exe -c "invoke-item \\VBOXSVR\Tools\HxD\HxD64.exe; invoke-item c:\windows\system32\calc.exe"
```

It will launch the HxD64, but will also launch a program of our choice - a calc.exe in this case. Notice how the shortcut icon changed to powershell - that is expected:

![](/files/-LyybbUHMpy7lCVdjo87)

We can change it back by clicking "Change Icon" and specifying the original .exe of HxD64.exe:

![](/files/-Lyybwxip2yTz6aypRVK)

The original icon is now back:

![](/files/-LyycKC3ryW_EXVUIBnI)

## Demo

Below shows the hijack demo in action:

![](/files/-LyycyvpIBuxkSuNs9HV)

In the above gif, we can see the black cmd prompt for a brief moment, however, it can be easily be hidden by changing the `Run` option of the shortcut to `Minimized`:

![](/files/-LyydO_zG64CpYnJdQ43)

Running the demo again with the `Run: Minimized` shows the black prompt went away:

![](/files/-Lyyd_PG2omI4DPGubBx)

{% hint style="warning" %}
Note that hovering the shortcut reveals that the program to be launched is the powershell.
{% endhint %}

## Reference

{% embed url="<https://attack.mitre.org/techniques/T1023/>" %}
