← All stories

Huntress

Deep Dive: A LNK in the Chain

2019-05-30 · Read original ↗

ATT&CK techniques detected

7 predictions

T1059.001PowerShell

98%

“we can see it uses mshta. exe to start a shell from vbscript, which in turn runs a powershell command. the powershell command reads from an offset within the lnk file and base64 decodes it. the final part of the command, ( $ env : comspec [ 4, 26, 25 ] - join ’ ’ ), is a way to h…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

98%

“##76d111 ; 103d69c110c103u105g110l101z72a101z97b108d116 ; 104a69u1 [... snip... ] c101b78c86d58b99 ; 111b77d115d80a101x99d91b52l44u50 ; 54d44u50u53d93u45x74c111g73g78d39 ; 39b41g40 ; 36b114l101d32g45g74d79g73d110l39b39l41 '. split ( ' c ; zxdalugb ' ) | foreach - object { ( [ int…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

95%

“sr. readtoend ( ) ) ) ; $ wr. close ( ) ;. ( $ env : comspec [ 4, 26, 25 ] - join ' ' ) ( $ re - join ' ' ) stage 2 the response to the post request from stage 1 is another powershell command : invoke - expression ( ( ' 36j76h111 { 103o69t110h103t105k110r101, 76t105k102, 101k67, …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

94%

“deep dive : a lnk in the chain the huntress soc team sees all sorts of clever tricks attackers use to launch powershell. many of these tricks use powershell to read a payload from the registry and then execute that payload. so when we saw a lnk file starting powershell and then p…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1140Deobfuscate/Decode Files or Information

46%

“snip... ] 111y114 < 36 < 107h91h36r73y43, 43o37y36o107o46o76h101h78r71h116y72r93 < 125y59o36o100y32 < 61y32j36 { 114 { 45 { 106r111r105t110 < 39 < 39o59 { 32k46j32j40j36t101o78j86, 58j99 { 111k77k115 < 80t101, 99 < 91 { 52j44r50j54, 44k50o53 { 93y45y74, 111j73j78t39k39h41h32t36 <…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1218.005Mshta

37%

“deep dive : a lnk in the chain the huntress soc team sees all sorts of clever tricks attackers use to launch powershell. many of these tricks use powershell to read a payload from the registry and then execute that payload. so when we saw a lnk file starting powershell and then p…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1497.001System Checks

32%

“##wall | defender | secury | anti | comodo | kasper | protect | point of sale | pos ) * * “ secury ” is not a typo : ) - enumerating the antivirus software - encrypting / decrypting data using rc4 - obtaining the external ip address - testing for administrator privileges - checki…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Read this blog to learn more about what the Huntress team discovered with LNK.