Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/113045947469880611">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:44 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/113045776391352324" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p>The Elastic blog post admits that signature-based detection on LNK files is difficult.</p><p>A simple Python script to detect abusers of this LNK vulnerability was created by <a href="https://infosec.exchange/@dez">@dez</a> , but it is fragile in that it relies on pylnk3 being able to parse the LNK file without error to be successful.</p><p>Out of a set of about 2000 LNK files, lnk_stomping.py fails to analyze about 1400 of them due to errors thrown by pylnk3 (e.g. year out of scope, drive as second element required, utf-8 decode error, struct unpack error)</p><p>Out of a set of about 1200 LNK files that abuse the "pathsegment" variant of LNK Stomping, lnk_stomping.py detects 13 of them.</p><p>So yeah, lnk_stomping.py is better than nothing. But if you're statically looking at LNK files to see if they are abusing LNK Stomping, you might be better off using exiftool and looking for one of:</p><p>1) "Target File DOS Name" has a '\' in it<br>2) "Target File DOS Name" ends with a '.'<br>3) "Relative Path" begins with ".\"</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3651109#notice-7154425">In conversation</a><time datetime="2024-09-12T01:47:44+09:00" title="Thursday, 12-Sep-2024 01:47:44 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/113045947469880611" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/113045947469880611">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://this.lol/">https://this.lol/</a></h5><div></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3155216">Target File DOS Name            : Windows\System32\cmd.exe
Target File DOS Name            : wIndOWs\SYsTem32\cmd.exe
Target File DOS Name            : Windows\System32\cmd.exe
Target File DOS Name            : wIndOWs\SYsTem32\cmd.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : wIndOWs\SYsTem32\cmd.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : wIndOWs\SYsTem32\cmd.exe
Target File DOS Name            : WIndOWs\SysTEm32\cONhOsT.EXe
Target File DOS Name            : Windows\System32\cmd.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cmd.exe
Target File DOS Name            : Windows\System32\cmD.Exe
Target File DOS Name            : Windows\System32\cmD.Exe
Target File DOS Name            : wIndOWs\SYsTem32\cmd.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
Target File DOS Name            : Windows\System32\cONhosT.exe
...</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/045/941/706/836/427/original/8e77826369ab8502.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/045/941/706/836/427/original/8e77826369ab8502.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3155217">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:44 JSTWill Dormann
in reply to
- Joe Desimone
The Elastic blog post admits that signature-based detection on LNK files is difficult.
A simple Python script to detect abusers of this LNK vulnerability was created by @dez , but it is fragile in that it relies on pylnk3 being able to parse the LNK file without error to be successful.
Out of a set of about 2000 LNK files, lnk_stomping.py fails to analyze about 1400 of them due to errors thrown by pylnk3 (e.g. year out of scope, drive as second element required, utf-8 decode error, struct unpack error)
Out of a set of about 1200 LNK files that abuse the "pathsegment" variant of LNK Stomping, lnk_stomping.py detects 13 of them.
So yeah, lnk_stomping.py is better than nothing. But if you're statically looking at LNK files to see if they are abusing LNK Stomping, you might be better off using exiftool and looking for one of:
1) "Target File DOS Name" has a '\' in it
2) "Target File DOS Name" ends with a '.'
3) "Relative Path" begins with ".\"
In conversationabout 2 months ago from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice