CatSalad🐈🥗 (D.Burch) Jul 2
cR0w 

Unit42 published a pretty decent write-up on malicious lnk files. It includes IOCs for the specific lnk files referenced in the post, but the concepts themselves are more important than the IOCs.

https://unit42.paloaltonetworks.com/lnk-malware/

Windows Shortcut (LNK) Malware Strategies

Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery.

Unit 42
Jul 2 at 12:57pmWeb
Show threadTaggart Jul 2
@cR0w Your reminder that, for some reason, exiftool parses .lnk files perfectly for quick analysis.
Show threadcR0w Jul 2
@mttaggart Nice. TIL.
Show threadCatSalad🐈🥗 (D.Burch) Jul 2
@cR0w @mttaggart Really? Useful info.
Show threadWinterKnight Jul 2
@mttaggart @cR0w huh. Good to know.
Show threadJust a trash panda 🦝Jul 2
@mttaggart @cR0w I had no idea. That's really cool. Going to have to try that tonight!
Show threadsh0budJul 4
@mttaggart @cR0w
Show threadB'ad Samurai 🐐Jul 2

@cR0w I've blocked .lnk on my SEG and web proxy. So far no complaints or tickets 1 year in. Of course they could be loaded other ways.. I have a test EDR policy for .lnk creation in /Downloads/. That file type just sucks, but it's not like an .hta I can outright block system-wide.

I'm sure I'm forgetting other places I could limit .lnks. Open to ideas!

Show thread../../nyanbinaryJul 2
@badsamurai @cR0w Windows EDR logs, delete them all, why stop at ~/Downloads 
Show thread../../nyanbinaryJul 2

@badsamurai Ok, but joking aside, this gets me thinking about baselines again: For filetypes that are unlikely to be generated by users in weird places: if the org has decent application control & homogeneous clients regularly generating an allow-list for non-sus folders might actually be feasible (especially if you have something like a super-client with all allowed software installed)?

Doing some quick testing on my personal Windows ... there aren't that many paths:

/Users/<username>/Desktop/
/Users/<username>/Links/
/Users/<username>/OneDrive/
a bunch of /Windows/
one /Program Files (x86)/<application>/ folder

Obviously will be more & more diverse in an actual org but might still be worth checking should one really want to restrict this as much as possible?

Show threadB'ad Samurai 🐐Jul 2
@nyanbinary Absolutely. Those dirs are also where I target automated hash lookups first since I have a small VT account.
Show threadcR0w Jul 2
@badsamurai We block them in email too. That's about it besides the occasional hunt for odd ones.
Show threadTaggart Jul 2
@badsamurai @cR0w While you're at it (I'm sure you've done this already), block .isos. That's a bigger hit in some cases, but it was a hot TTP for a while to put the LNK inside the iso to avoid MOTW and rules just like that.
Show threadB'ad Samurai 🐐Jul 2

@mttaggart @cR0w I feel like we (community we) don't share baseline bad extensions for SEGs often enough.

Maybe OpSec concerns? And not that org specific. There are some very common, but esoteric, file types no one wants to see cross dmarcs. I think the problem these tools were often built and inherited many times over where it's a default allow + block-list vs default block + allow-list.

.scr .wsf .url .scf and the office docs with macros (.pptm .xlam etc) .onepkg .arj .cab .bin .theme ... Then double and triple extensions--regex block! It never ends.

Side note I quarantine and alert on any .env .pem .key .kube .conf .tfvars .lic. I don't need AI to do $DLP basics.

Show threadcR0w Jul 2

@badsamurai @mttaggart Good point. I'll start:

386
3gr
add
ade
appcontent-ms
asp
bas
bat
cer
chm
class
cmd
cnt
com
cpl
crt
dbx
der
diagcab
dll
exe
fon
grp
hlp
hpj
hta
img
inf
ins
iso
isp
jar
jnlp
js
jse
lnk
mam
mcf
mdb
mde
mmc
msc
msh
msh1
msh1xml
msh2
msh2xml
mshxml
msi
msp
mst
msu
ocx
pcd
pif
pl
printerexport
ps1
ps1xml
ps2
ps2xml
psc1
psc2
psd1
psdm1
py
pyc
pyo
pyw
pyz
pyzw
rdp
reg
rtf
scf
scr
sct
settingcontent-ms
shb
shs
theme
url
vb
vbe
vbp
vbs
vhd
vhdx
vxd
website
ws
wsc
wsf
wsh
xbap
xll
xnk

Show threadB'ad Samurai 🐐Jul 2
@cR0w @mttaggart Rad. I'll add to this when I return to office tomorrow. Today is bamboo and cassette tape shopping.
Show threadcR0w Jul 2
@badsamurai @mttaggart Sounds good. I know you host a lot of lists like that on your GitHub. Want to add one for this there too?
Show threadB'ad Samurai 🐐Jul 2

@cR0w @mttaggart Done! I was only missing a few from yours. I made multiple commits to make the list diff easier.

https://github.com/BadSamuraiDev/bs-lists/blob/main/email-file-extensions.txt

bs-lists/email-file-extensions.txt at main · BadSamuraiDev/bs-lists

Cybersecurity lists of TLDs, domains and URLs for threat hunting and posture policy (warn or block) - BadSamuraiDev/bs-lists

GitHub
Show threadcR0w Jul 2
@badsamurai @mttaggart Nice! Did you happen to see any on your list that weren't on mine? I can do a diff myself in a few if you didn't happen to notice.
Show threadB'ad Samurai 🐐Jul 2

@cR0w @mttaggart I did. We were, maybe not, surprisingly far off.

Only Mine:

jse
pyw
vb
wsh
xbap
xll
xnk

Only Yours:

mmc
rtf
vhdx
Show threadcR0w Jul 2
@badsamurai @mttaggart Thanks. Those should have been in my list already. I'll be curious if anyone else adds to it.
Show threadB'ad Samurai 🐐Jul 2

@cR0w @mttaggart Hopefully. I'm not a Mac person, so I know I have gaps there.

Here's the sensitive file list as well. I typically strip and deliver vs drop.

⚠️ This one may result in potentially embarrassing change controls for key/cred rotation.

https://github.com/BadSamuraiDev/bs-lists/blob/main/sensitive-file-extensions.txt

bs-lists/sensitive-file-extensions.txt at main · BadSamuraiDev/bs-lists

Cybersecurity lists of TLDs, domains and URLs for threat hunting and posture policy (warn or block) - BadSamuraiDev/bs-lists

GitHub
Show threadFritz AdalisJul 2
@badsamurai @cR0w @mttaggart
Is rtf bad?
Show threadcR0w Jul 2
@FritzAdalis @badsamurai @mttaggart yes
Show threadFritz AdalisJul 2
@cR0w @badsamurai @mttaggart
RTF can embed OLE?! wtf. Can anyone make a document format that can't execute code?
Show threadcR0w Jul 2
@FritzAdalis @badsamurai @mttaggart My txt docs are still good.
Show threadFritz AdalisJul 2
@cR0w @badsamurai @mttaggart
True, but text is the opposite of format.
Show threadB'ad Samurai 🐐Jul 2

@FritzAdalis @cR0w @mttaggart

Now ask me why I can't get .svg on there.

/me shakes fist like old man with kids on his law

Show threadCatSalad🐈🥗 (D.Burch) Jul 2
@badsamurai @FritzAdalis @cR0w @mttaggart svg supports javascript, just saying..
Show threadB'ad Samurai 🐐Jul 2

@catsalad @FritzAdalis @cR0w @mttaggart But if I ban hammer .svg I will definitely hear from marketing, graphics and service desk.

I wish SEGs or email filters could simply strip the <script> block out of the SVG.

Show threadJonathan LamotheJul 2
@catsalad When you say "supports JavaScript", are you just saying "can be manipulated through JavaScript" or "JavaScript can be embedded directly into the .svg file"?
Show threadCatSalad🐈🥗 (D.Burch) Jul 2
@me Javascript right in the svg file 👍
Show threadvampirdaddyJul 2
@catsalad @me
SVG standard includes JS embedding since … ages.
Show threadJonathan LamotheJul 2
@catsalad This is why we can't have nice things...
Show threadvampirdaddyJul 2

@badsamurai @cR0w @mttaggart
We have seen lots of drop-loaded .tmp-named files that were DLLs or EXEs, also an occasional .gif

Granted, those had to be explicitly executed/called, but the client‘s AV had not complained…

Show threadJason StuartJul 2
@badsamurai @cR0w I did a software execution block on mshta.exe as well. Have yet to encounter any production breaking bugs with that one in place. I have seen "annoyances" in some applications and triggers. As always, test and YMMV