{"id":10164,"date":"2025-10-04T20:59:47","date_gmt":"2025-10-04T20:59:47","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10164"},"modified":"2025-10-04T22:15:55","modified_gmt":"2025-10-04T22:15:55","slug":"using-lnk-files-as-lolbins","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/10\/04\/using-lnk-files-as-lolbins\/","title":{"rendered":"Using .LNK files as lolbins"},"content":{"rendered":"\n<p>I am not sure if I or anyone else pointed it out before. Highly possible. I kinda lost track of it at this stage&#8230;<\/p>\n\n\n\n<p>So, anyway&#8230; this is a pretty dumb lolbin functionality that is exhibited by many native .lnk files present on a file system after a standard Windows installation.<\/p>\n\n\n\n<p>What I mean are files like f.ex.:<\/p>\n\n\n\n<ul>\n<li>c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk<\/li>\n\n\n\n<li>c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk<\/li>\n\n\n\n<li>c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player Legacy.lnk<\/li>\n<\/ul>\n\n\n\n<p>Turns out, many &#8216;target&#8217; executables linked to by these .lnk files are paths that are dependent on at least one environment variable f.ex. %windir%, %ProgramFiles(x86)%.<\/p>\n\n\n\n<p>So, one can change that environmental variable prior to launching the .lnk file and it can alter the way the target program is found and then executed, f.ex. allowing us to execute our payload from a location we control.<\/p>\n\n\n\n<p>For instance:<\/p>\n\n\n\n<ul>\n<li><em>Remote Desktop Connection.lnk<\/em> points to <em>%windir%\\system32\\mstsc.exe<\/em><\/li>\n<\/ul>\n\n\n\n<p>So, changing the <em>windir <\/em>to point to <em>c:\\test<\/em> and placing our payload in <em>c:\\test\\system32\\mstsc.exe<\/em> will make the following work:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar.png\" alt=\"\" class=\"wp-image-10165\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar.png 970w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar-300x136.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar-768x348.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/lnk_envvar-500x226.png 500w\" sizes=\"(max-width: 970px) 100vw, 970px\" \/><\/a><\/figure>\n\n\n\n<p>Again, it&#8217;s dumb, but just documenting it for the sake of posterity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am not sure if I or anyone else pointed it out before. Highly possible. I kinda lost track of it at this stage&#8230; So, anyway&#8230; this is a pretty dumb lolbin functionality that is exhibited by many native .lnk &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/10\/04\/using-lnk-files-as-lolbins\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,56],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10164"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10164"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10164\/revisions"}],"predecessor-version":[{"id":10170,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10164\/revisions\/10170"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}