Most people love shortcuts — they make things faster and easier. This common passion is behind a lot of the conveniences we experience on a daily basis. Shortcuts have impacted modern computers as well, with the Windows shortcut being an aspect that is widely used by many. Attackers also prefer the use of shortcuts and use them to help with persistence on a compromised machine through the use of an attack technique known as shortcut modification. This technique is one of the many listed in the MITRE ATT&CK Matrix.
This article will detail this attack technique and will explore the MITRE ATT&CK matrix, shortcut modification, how shortcut modification works, mitigation, detection and some real-world examples of this attack technique.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
What is shortcut modification?
Shortcuts, also known as symbolic links, are an aspect of operating systems that allow for the referencing of other files, applications or programs. When it is clicked or executing during system startup, what is referenced becomes opened (if a file) or executed (if an application or program). Attackers use this inherent aspect of systems during persistence by executing attack tools with it. The motivation for this attack technique is not so much due to laziness as it is for aiding in the persistence phase of an attack.
What is persistence?
Persistence refers to techniques that attackers use to maintain their foothold on a compromised system. System restarts, new credentials, and other interruptions could mean loss of access to a compromised system they have worked so hard to gain access to. These techniques are often invaluable to attackers and may make the difference in the success of an attack campaign.
How does shortcut modification work?
There are different ways that attackers can use shortcut modification, but there are two general classifications of this attack technique. The first is where attackers replace existing shortcuts — and when said shortcuts are used the malicious program is executed instead. Second, attackers may simply create new shortcuts that look like legitimate programs but will execute a malicious program instead, which is referred to as masquerading.
Zeroing in a little more on what is actually seen in the real world, attackers more often than not use the startup process to execute a malicious shortcut, known in Windows systems as a .LNK file. An interesting thing about this attack technique is that it is not always used exclusively for execution of malicious programs — sometimes (as will be explored later), attackers may add Registry Run keys to help further persistence, or they may use shortcut modification to gather user conjunction as part of forced authentication.
Helminth is a script that is used as a backdoor and attackers having been using it to establish persistence. The Clayside attack campaign was known to use Helminth in 2016 to attack Saudi Arabian financial firms. Helminth was observed using a “Certificate Management.lnk” shortcut represented with a “Certificate.ico” file as it’s icon. This shortcut would run whenever the compromised system start, thereby maintaining persistence even after a system restart.
DarkHotel is an attack group that has been reported using the shortcut modification attack technique frequently. In one of its attack campaigns, DarkHotel used a spearphish technique to get users to download an infected jpg image. When the user would open the infected jpg, the code would leave a suspicious mspaint.lnk shortcut on the compromised system disk and launch it. This contained a malicious multiline target shell script which, in turn, executed a large compiled malicious executable.
Also known as Berserk Bear, this suspected Russia-based attack group is known using a variant to the methods of shortcut modification listed above. Dragonfly 2.0 is known to set an icon path to an attacker-controlled remote server. When the icon is clicked, Windows tries to load the icon and begin an SMB authentication session which passes the user’s active credentials through this SMB connection.
This attack group uses malware that can create malicious .lnk files on a compromised system. It has been observed going a step further by adding a Registry Run key to some extra persistence bite.
MITRE recommends a User Account Management focused approach to mitigation. Permissions should be limited for those who can create shortcuts to administrators and other necessary groups within an organization. This can be accomplished with GPO at: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment: Create symbolic links.
There is only one way to detect this attack technique. This involves relating shortcut file change (and other creation events) to potentially malicious events or other known adversary behavioral events. The most telling behavioral event is unknown executable process launches that establish network connections.
Attackers have different attack techniques that further persistence, and chief among them is shortcut modification. This attack technique takes advantage of shortcuts by referencing a malicious executable or malicious server whenever a user opens a shortcut or starts their system. Some attack groups have gone a few steps further and can steal credentials or add a malicious Registry Run Key to further establish persistence.