Windows Incident Response
Not long ago, I posted regarding how LNK files can be (ab)used; the post refers to LNK file metadata, and how, if the LNK file is sent by the threat actor, that metadata can be used to learn about the threat actor’s environment. I first saw this mentioned by JPCERT in 2016, where they included an interesting graph (figure 1) in their post to illustrate the point.
Tony Lambert recently shared via his blog a change in Emotet TTPs, that the threat actor group had moved to using LNK files as an initial delivery mechanism. In the post, Tony described this as “a really interesting TTP change”, and that it was “odd but not unexpected”. Tony also shared a link to download a copy of the LNK file, as well as metadata parsed from the LNK sample via EXIFTool. I don’t often use EXIFTool for this sort of metadata extraction, and I wanted to take a look for myself…here’s what I found:
guid {00021401-0000-0000-c000-000000000046}
shitemidlist My Computer/C:\/Windows/system32/cmd.exe
Changes In The Use Of LNK Files
shitemidlist My Computer/C:\/Windows/system32/cmd.exe
Changes In The Use Of LNK Files