Will Dormann on Nostr: The Elastic blog post admits that signature-based detection on LNK files is ...
The Elastic blog post admits that signature-based detection on LNK files is difficult.
A simple Python script to detect abusers of this LNK vulnerability was created by Joe Desimone (npub1thw…kg88) , but it is fragile in that it relies on pylnk3 being able to parse the LNK file without error to be successful.
Out of a set of about 2000 LNK files, lnk_stomping.py fails to analyze about 1400 of them due to errors thrown by pylnk3 (e.g. year out of scope, drive as second element required, utf-8 decode error, struct unpack error)
Out of a set of about 1200 LNK files that abuse the "pathsegment" variant of LNK Stomping, lnk_stomping.py detects 13 of them.
So yeah, lnk_stomping.py is better than nothing. But if you're statically looking at LNK files to see if they are abusing LNK Stomping, you might be better off using exiftool and looking for one of:
1) "Target File DOS Name" has a '\' in it
2) "Target File DOS Name" ends with a '.'
3) "Relative Path" begins with ".\"
A simple Python script to detect abusers of this LNK vulnerability was created by Joe Desimone (npub1thw…kg88) , but it is fragile in that it relies on pylnk3 being able to parse the LNK file without error to be successful.
Out of a set of about 2000 LNK files, lnk_stomping.py fails to analyze about 1400 of them due to errors thrown by pylnk3 (e.g. year out of scope, drive as second element required, utf-8 decode error, struct unpack error)
Out of a set of about 1200 LNK files that abuse the "pathsegment" variant of LNK Stomping, lnk_stomping.py detects 13 of them.
So yeah, lnk_stomping.py is better than nothing. But if you're statically looking at LNK files to see if they are abusing LNK Stomping, you might be better off using exiftool and looking for one of:
1) "Target File DOS Name" has a '\' in it
2) "Target File DOS Name" ends with a '.'
3) "Relative Path" begins with ".\"