Mastodawn

Unit42 published a pretty decent write-up on malicious lnk files. It includes IOCs for the specific lnk files referenced in the post, but the concepts themselves are more important than the IOCs.

https://unit42.paloaltonetworks.com/lnk-malware/

Windows Shortcut (LNK) Malware Strategies

Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery.

Unit 42

B'ad Samurai 🐐Jul 2

@cR0w I've blocked .lnk on my SEG and web proxy. So far no complaints or tickets 1 year in. Of course they could be loaded other ways.. I have a test EDR policy for .lnk creation in /Downloads/. That file type just sucks, but it's not like an .hta I can outright block system-wide.

I'm sure I'm forgetting other places I could limit .lnks. Open to ideas!

@badsamurai @cR0w While you're at it (I'm sure you've done this already), block .isos. That's a bigger hit in some cases, but it was a hot TTP for a while to put the LNK inside the iso to avoid MOTW and rules just like that.

B'ad Samurai 🐐Jul 2

@mttaggart @cR0w I feel like we (community we) don't share baseline bad extensions for SEGs often enough.

Maybe OpSec concerns? And not that org specific. There are some very common, but esoteric, file types no one wants to see cross dmarcs. I think the problem these tools were often built and inherited many times over where it's a default allow + block-list vs default block + allow-list.

.scr .wsf .url .scf and the office docs with macros (.pptm .xlam etc) .onepkg .arj .cab .bin .theme ... Then double and triple extensions--regex block! It never ends.

Side note I quarantine and alert on any .env .pem .key .kube .conf .tfvars .lic. I don't need AI to do $DLP basics.

@badsamurai @mttaggart Good point. I'll start:

386
3gr
add
ade
appcontent-ms
asp
bas
bat
cer
chm
class
cmd
cnt
com
cpl
crt
dbx
der
diagcab
dll
exe
fon
grp
hlp
hpj
hta
img
inf
ins
iso
isp
jar
jnlp
js
jse
lnk
mam
mcf
mdb
mde
mmc
msc
msh
msh1
msh1xml
msh2
msh2xml
mshxml
msi
msp
mst
msu
ocx
pcd
pif
pl
printerexport
ps1
ps1xml
ps2
ps2xml
psc1
psc2
psd1
psdm1
py
pyc
pyo
pyw
pyz
pyzw
rdp
reg
rtf
scf
scr
sct
settingcontent-ms
shb
shs
theme
url
vb
vbe
vbp
vbs
vhd
vhdx
vxd
website
ws
wsc
wsf
wsh
xbap
xll
xnk

B'ad Samurai 🐐Jul 2

@cR0w @mttaggart Rad. I'll add to this when I return to office tomorrow. Today is bamboo and cassette tape shopping.

@badsamurai @mttaggart Sounds good. I know you host a lot of lists like that on your GitHub. Want to add one for this there too?

B'ad Samurai 🐐

@cR0w @mttaggart Done! I was only missing a few from yours. I made multiple commits to make the list diff easier.

https://github.com/BadSamuraiDev/bs-lists/blob/main/email-file-extensions.txt

bs-lists/email-file-extensions.txt at main · BadSamuraiDev/bs-lists

Cybersecurity lists of TLDs, domains and URLs for threat hunting and posture policy (warn or block) - BadSamuraiDev/bs-lists

GitHub

@badsamurai @mttaggart Nice! Did you happen to see any on your list that weren't on mine? I can do a diff myself in a few if you didn't happen to notice.

B'ad Samurai 🐐Jul 2

@cR0w @mttaggart I did. We were, maybe not, surprisingly far off.

Only Mine:

jse
pyw
vb
wsh
xbap
xll
xnk

Only Yours:

mmc
rtf
vhdx

@badsamurai @mttaggart Thanks. Those should have been in my list already. I'll be curious if anyone else adds to it.

B'ad Samurai 🐐Jul 2

@cR0w @mttaggart Hopefully. I'm not a Mac person, so I know I have gaps there.

Here's the sensitive file list as well. I typically strip and deliver vs drop.

⚠️ This one may result in potentially embarrassing change controls for key/cred rotation.

https://github.com/BadSamuraiDev/bs-lists/blob/main/sensitive-file-extensions.txt

bs-lists/sensitive-file-extensions.txt at main · BadSamuraiDev/bs-lists

Cybersecurity lists of TLDs, domains and URLs for threat hunting and posture policy (warn or block) - BadSamuraiDev/bs-lists

GitHub

Fritz Adalis Jul 2

@badsamurai @cR0w @mttaggart
Is rtf bad?

@FritzAdalis @badsamurai @mttaggart yes

Fritz Adalis Jul 2

@cR0w @badsamurai @mttaggart
RTF can embed OLE?! wtf. Can anyone make a document format that can't execute code?

@FritzAdalis @badsamurai @mttaggart My txt docs are still good.

Fritz Adalis Jul 2

@cR0w @badsamurai @mttaggart
True, but text is the opposite of format.

B'ad Samurai 🐐Jul 2

@FritzAdalis @cR0w @mttaggart

Now ask me why I can't get .svg on there.

/me shakes fist like old man with kids on his law

CatSalad🐈🥗 (D.Burch)

@badsamurai @FritzAdalis @cR0w @mttaggart svg supports javascript, just saying..

B'ad Samurai 🐐Jul 2

@catsalad @FritzAdalis @cR0w @mttaggart But if I ban hammer .svg I will definitely hear from marketing, graphics and service desk.

I wish SEGs or email filters could simply strip the <script> block out of the SVG.

Jonathan Lamothe Jul 2

@catsalad When you say "supports JavaScript", are you just saying "can be manipulated through JavaScript" or "JavaScript can be embedded directly into the .svg file"?

CatSalad🐈🥗 (D.Burch)

@me Javascript right in the svg file 👍

vampirdaddy Jul 2

@catsalad @me
SVG standard includes JS embedding since … ages.

Jonathan Lamothe Jul 2

@catsalad This is why we can't have nice things...

vampirdaddy Jul 2

@badsamurai @cR0w @mttaggart
We have seen lots of drop-loaded .tmp-named files that were DLLs or EXEs, also an occasional .gif

Granted, those had to be explicitly executed/called, but the client‘s AV had not complained…