Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
T1053: Schtask
T1035: Service Execution
T1015: Sticky Keys
T1136: Create Account
T1013: AddMonitor()
T1128: NetSh Helper DLL
T1084: Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
T1180: Screensaver Hijack
T1138: Application Shimming
T1197: BITS Jobs
T1122: COM Hijacking
T1198: SIP & Trust Provider Hijacking
T1209: Hijacking Time Providers
T1130: Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Modifying .lnk Shortcuts

This is a quick lab showing how .lnk (shortcut files) can be used for persistence.

Execution

Say, there's a shortcut on the compromised system for a program HxD64 as shown below:

. That shortcut can be hijacked and used for persistence. Let's change the shortcut's target to this simple powershell:

powershell.exe -c "invoke-item \\VBOXSVR\Tools\HxD\HxD64.exe; invoke-item c:\windows\system32\calc.exe"

It will launch the HxD64, but will also launch a program of our choice - a calc.exe in this case. Notice how the shortcut icon changed to powershell - that is expected:

We can change it back by clicking "Change Icon" and specifying the original .exe of HxD64.exe:

The original icon is now back:

Demo

Below shows the hijack demo in action:

In the above gif, we can see the black cmd prompt for a brief moment, however, it can be easily be hidden by changing the Run option of the shortcut to Minimized:

Running the demo again with the Run: Minimized shows the black prompt went away:

Note that hovering the shortcut reveals that the program to be launched is the powershell.

Reference

Previous
Persisting in svchost.exe with a Service DLL
Next
T1180: Screensaver Hijack
Last updated 9 months ago
Contents
Execution
Demo
Reference