tag:blogger.com,1999:blog-9518042.post6311088929349636366..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: A Minimal LNKUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-28161757109086559192019-07-24T05:53:02.678-05:002019-07-24T05:53:02.678-05:00Matt,
Other artifacts, such as?
> ...if used ...Matt,<br /><br />Other artifacts, such as?<br /><br />> ...if used in the wild the absence of any metadata would be the indicator itself? <br /><br />Yes, it would. However, I tend to believe that the extra effort (albeit not a great deal) isn't put into "scrubbing" weaponized LNK files because it's not needed.<br /><br />I'm not at all clear as to how a smaller LNK file would be applied to an air-gapped network...<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53345648522092853532019-07-24T05:42:11.811-05:002019-07-24T05:42:11.811-05:00This is great (and I wondering if it could be exte...This is great (and I wondering if it could be extended to other artifacts?).<br /><br />I imagine if used in the wild the absence of any metadata would be the indicator itself? <br /><br />I could see an application where a threat group needed access to a system where the difference between 890 bytes and 389 bytes might make a difference:<br />- air gapped network requiring some obscure entry point<br />- appending the lnk file to within another file but needing to keep the same byte size as the original file.<br /><br />Just thoughts on your experiment. Thanks Harlan@mattnotmaxnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58954471892009487292019-03-23T15:36:52.147-05:002019-03-23T15:36:52.147-05:00Ali,
I zero'd out the time stamps manually, i...Ali,<br /><br />I zero'd out the time stamps manually, in the shell items. I'm working in a script to do it for me.<br /><br />;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-72465166891727656342019-03-23T15:00:29.985-05:002019-03-23T15:00:29.985-05:00This is scary and at the same time cool :D
Would ...This is scary and at the same time cool :D<br /><br />Would love to do this on a wide scale and see how could such activity be traced back to the actor?!<br /><br />BTW, did you zero out the times manually, or also scripted that?<br /><br />As usual, nice work Harlan and thanks for sharing.B!n@ryhttps://twitter.com/binaryz0nenoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80890359500336504192019-03-21T15:28:55.760-05:002019-03-21T15:28:55.760-05:00Bryan,
What I was seeing in the wild was 'wea...Bryan,<br /><br />What I was seeing in the wild was 'weaponized' LNK file with a good bit of metadata, but none that was really being used, with the notable exception of what the FireEye folks had done.<br /><br />> What drew you to experiment with this in particular?<br /><br />I had a thought..."What would the LCpl do?" Of all the responses to that question that I came up with, this one was the most interesting!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-15125455240656162692019-03-21T15:24:33.274-05:002019-03-21T15:24:33.274-05:00This is pretty cool stuff. Thanks for the share!
...This is pretty cool stuff. Thanks for the share!<br /><br />Have you seen this in the wild? What drew you to experiment with this in particular?<br /><br />BBBryan Bnoreply@blogger.com