GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Process Monitor log of extraction of LNK, opening it (which rewrites it), and then the check for MotW later (it's not there)

Download link

https://media.infosec.exchange/infosec.exchange/media_attachments/files/112/910/192/286/533/259/original/93afd21d7a595265.png

Notices where this attachment appears

  1. Embed this notice
    Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:45 JST Will Dormann Will Dormann
    in reply to

    The flow is pretty straightforward:
    First, the MotW is written when the from-the-internet ZIP is extracted, as any well-behaved (e.g. NOT 7-zip) archiving utility will do.

    Then, as Windows parses the LNK file, it rewrites it to fix the path. In the process of doing this, the MotW is removed.

    Finally, Windows checks to see if it needs to use SAC or SmartScreen. Because there is no MotW, the file is deemed "safe" and no SAC or SmartScreen comes into play. 🎉

    In conversation about 2 months ago from infosec.exchange permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.