This article has been indexed from Windows Incident Response
As most regular readers of this blog can tell you, I’m a bit of a fan of LNK files…a LNK-o-phile, if you will. I’m not only fascinated by the richness of the structure, but as I began writing a parser for LNK files, I began too see some interesting aspects of intelligence that can be gleaned from LNK files, in particular, those created within a threat actors development environment, and deployed to targets/infrastructures. First, there are different ways to create LNK files using the Windows API, and what’s really cool is that each method has it’s own unique #toolmarks associated with it!
Second, most often there is a pretty good amount of metadata embedded in the LNK file structure. There are file system time stamps, and often we’ll see a NetBIOS system name, a volume S/N, a SID, or other pieces of information that we can use in a VirusTotal retro-hunt in order to build out a significant history of other similar LNK files.
In the course of my research, I was able to create the smallest possible functioning LNK file, albeit with NO (yes, you read that right…) metadata. Well, that’s not 100% true…there is metadata within the LNK file. Specifically, the Windows version identifier is still there, and this is something I purposely left. Instead of zero’ing it out, I altered it to an as-yet-unseen value (in this case, 0x0a). You can also alter each version identifier to their own value, rather than keeping them all the same.
Microsoft recently shared some information about NOBELIUM sending LNK files embedded within ISO files, as did the Volexity team. Both discuss aspects of the NOBELIUM campaign; in fact, they do so in a similar manner, but each with different details. For example, the Volexity team specifically states the following (with respect to the LNK file):
It should be noted that nearly all of the metadata from the LNK file has been removed. Typically, LNK files contain timestamps for creation, modification, and access, as well as information about the device on which they were created.
Now, that’s pretty cool! As someone who’s put considerable effort into understanding th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Toolmarks: LNK Files in the news again