Hidden command-line arguments
Past goal spoofing, Beukema demonstrated a method for hiding malicious command-line directions behind reliable executables. LNK information can launch trusted Home windows binaries whereas passing attacker-controlled directions by embedded arguments, enabling “living-off-the-land” (LOLBINs) execution with out pointing on to malware.
In line with the researcher, this may be completed by manipulating the enter handed into sure fields throughout the LNK “ExtraData” part that determines extra goal metadata. Enabling the “HasExpString” flag and configuring the “EnvironmentVariableDataBlock” with “TargetANSI/TargetUnicode” fields crammed with null bytes produces what he described as “sudden” outcomes.
“First, it disables the goal subject, which means the goal subject turns into read-only and can’t be chosen,” Beukema stated. “Secondly, it hides the command-line arguments; but when the LNK is opened, it nonetheless passes them on.” The conduct may be exploited to launch a innocent system part whereas secretly executing arbitrary instructions like downloading payloads or working scripts.
