Link (LNK) File Download Containing a WebDAV UNC Hyperlink
Original Analytic Scoring
Payload (P) |
Header (H) |
|
|---|---|---|
Core to (Sub-) Technique (5) |
||
Core to Part of (Sub-) Technique (4) |
Payload|beginswith: “4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46” and
Regex pattern: “x5Cx00x5C(?:x00[a-z0-9.-_])+x))@”
|
|
Core to Pre-Existing Tool or Inside Boundary (3) |
||
Core to Adversary-Brought Tool or Outside Boundary (2) |
||
Ephemeral (1) |
The Suricata rule looks for the 20-byte sequence 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 at the start of the file, and a regular expression (regex) pattern to match double-backslash \\ followed by an arbitrary-length series of lowercase letters, digits, periods, dashes, and underscore characters followed by the @ symbol. According to Microsoft documentation, the first 4 bytes of an LNK file must equal the hexadecimal value 0x0000004C, and the next 16 bytes must equal the Shell Link Class ID 00021401-0000-0000-C000-000000000046. 1 Therefore, the 20-byte sequence in this Suricata rule is robust enough to specifically identify LNK files, and this observable would have an analytic robustness score of Level 4: Core to Some Implementations of (Sub-)Technique. Furthermore, the regex pattern for the WebDAV UNC path is general enough to allow either an IP address or a host/domain name followed by the @ symbol. The analytic robustness of the regex pattern is also Level 4: Core to Some Implementations of (Sub-)Technique. The event robustness is Column P: Payload Visibility, because it relies on visibility of the HTTP body section, and the overall robustness score for this rule is 4P.
References