In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey:
Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number?
We did not do that at the time, however we see the value in this to track specific threat actors throughout different campaigns.
The Windows .LNK file format contains valuable and information that is specific for the host on which that .LNK file has been created including:
- The MAC address of the host;
- The NetBIOS system name;
- the volume serial number.
This is all information that will not easily be changed on the threat actors workstation and which should be fairly unique.
For more information on the .LNK file format, take a look at the following ForensicWiki page: http://forensicswiki.org/wiki/LNK.
I used the tool lnkanalyser from woanware to analyse the extracted .LNK file.
Now what information are we seeing here.
NOTE: this tool does not show the relative path, on other .LNK files we tested this was shown. This particular .LNK file’s relative path refers to cmd.exe in the C:\Windows\System32 folder.
The first thing that stands out is the argument, this is everything that is passed on to command line, this has been discussed in the the blog post .LNK downloader and bitsadmin.exe in malicious Office document.
Next interesting item is the Target Metadata. The timestamps shown here are the timestamps of the target executable, in this case cmd.exe, of the executable on the system of the person creating this .LNK file.
Concluding we have four artefacts tied to the workstation on which this .LNK was created that can be used to track a threat actor:
- Hard disk Serial number: 60BDBF2D
- Volume ID: C2CC139818B9E241824054A8ADE20A9A
- Machine ID: 123-¯ª
- Mac address: 00:0C:29:5A:39:04
Didier Stevens created a comprehensive screencap on how to extract the .LNK file from the Word document and analyze it with lnkanalyzer.exe:
For an extensive explanation of .LNK file attributes, we’d like to refer you to the following research: http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf
All the identifying items pointed out can be changed in 20 secs or less
JPCERT @jpcert_en has also written an excellent paper about “Evidence of Attackers’ Development Environment Left in Shortcut File” http://blog.jpcert.or.jp/2016/12/evidence-of-att-3388.html