Introduction
In one of the recent engagements conducted by THEOS Red Team, the operators were tasked to simulate an APT scenario in one of our clients. This type of scenario covers the complete kill-chain starting with the reconnaissance of the target client, execution of attacks to gain an initial foothold, and eventually achieving the desired objective.
In every engagement, it is critical to craft an initial access payload that will be used in the phishing campaigns to gain a foothold inside the target’s network. The challenge here is customizing a payload bypassing security tool such as Antivirus or EDR solutions. Upon testing different payloads, the team decided to craft a shortcut file stored in an encrypted archive which was used during the engagement.
This post highlights the steps executed by the team to craft the shortcut file that bypasses Windows Defender.
Payload Creation
To give a brief overview about the payload used, let’s discuss first shortcut files.
Figure 1: Shortcut File or LNK files (Wikipedia)
Basically, a shortcut or an LNK file is a type of file that allows the user to access a resource located in a different directory or folder. This file is using the .lnk extension and is usually seen in the Desktop directory by common applications such as your web browser (eg. Google Chrome, Firefox, etc.).
To understand how we can leverage this file to execute a malicious action, we can use Google Chrome shortcut as an example.
Figure 2: Google Chrome Shortcut File
Based on the properties of Google Chrome.lnk, we can see that the target property points to C:\Program Files\Google\Chrome\Application\chrome.exe indicating that the Chrome application from another directory will be executed once we open the shortcut file. This shortcut property is not limited to just the binary file location but it can also be written with a command line parameter. Given this, we can craft an lnk file to execute a malicious command embedded on the target property.
In this scenario, we decided to create the following execution chain:
- User decrypts the malicious lnk file from an encrypted zip.
- LNK file invokes an encoded powershell command.
- Powershell command executes an AMSI bypass.
- Powershell command executes the malicious stager in memory.
We wrote a powershell script to automate the creation based on the execution chain.
Based on the image above, the script executes the following:
- Encode the powershell commands for AMSI bypass and download cradle into base64.
- Create and modify the properties of demo.lnk to execute the encoded powershell command.
- Create an encrypted zip named demo.zip which contains demo.lnk.
- Delete the lnk file.
The image below shows the malicious command contained in our generated shortcut file after the script’s executio
Detection
The following link contains a video demonstration of the execution of the crafted payload.
Red Team Operations: Shortcut File as Initial Access Payload Demo
The execution chain discussed above leaves a lot of traces which can be easily flagged by EDR solutions or by SOC / IR analysts via log analysis. Below are some examples of Windows Log Sources and logs generated by the payload from each log source.
Windows Event Logs (with Process Command Line Logging)
Windows Event Logs can easily be configured to log all process creations. However, the process command line logging is not enabled by default which is highly important in log analysis.
The execution of the payload can be seen via Event Viewer > Windows Logs > Security and by searching Event ID 4688.
Sysmon
Sysmon or System Monitor is a Windows system service and device driver that monitors and logs all system activities.
Logs generated by Sysmon can also be viewed inside Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon. Process creation events can be viewed via Event ID 1.
Aside from the process creation events, Sysmon can also log the network connections invoked by the malicious process via Event ID 3. The image below shows the initial download of the powershell stager via 10.66.66.239:80.
Conclusion
The technique demonstrated above shows that the version of Windows Defender during the time of writing was bypassed successfully. However, multiple caveats should be considered when using this execution chain. As shown in the detection section, the execution chain can easily be flagged by good endpoint detection rules via log analysis, and most likely to be flagged by known commercial EDRs.