Wietze

Yet another LNK spoofing flaw: executes any DLL, including remote via WebDAV. Even worse, without Feb 2026 updates, MotW will be ignored.

Next to updating, your best defence is to look for RunDLL32+Shell32+Control_RunDLL with non-standard targets.

See how this works on github.com/wietze/lnk-i...

TIL from @wietzebeukema.nl 🤯

Try the tool for yourself: github.com/wietze/lnk-i... 🔗

Can LNK files ever be trusted?

⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces a tool to create your own LNKs, and a tool to detected spoofed ones yourself.

🐬 www.wietzebeukema.nl/blog/trust-m...

Video demo to play with ArgFuscator -- the super cool research and utility from @Wietze to obfuscate command-lines to try and evade AV or EDR detection 😎 And to test your rules if any of these crazy looking commands fly under the radar! youtu.be/6-Gbv0h7m1I

As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!

👉 Find all of them here: bsky.app/search?q=fro...

#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation.

🔍 Hunt for known SecureString decoding commands

#HuntingTipOfTheDay: Stuck in vi/vim? Open a reverse shell to exit remotely 🙃

Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.

#HuntingTipOfTheDay: there are numerous open-source projects listing cyber threats. Some of these have directly ingestible indicators, which can be very helpful when threat hunting. How about:
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests

#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.

#HuntingTipOfTheDay: USB worms are still a thing - often the initial infection happens when a user clicks a malicious shortcut on a USB device. See if you can correlate executions with .LNK files on remote drives to find possible badness.

#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...

#HuntingTipOfTheDay: Florian is right.
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)

#HuntingTipOfTheDay: Oddvar Moe of @trustedsec.com shows how you can run a full C2 implant from Outlook - just setting a few registry keys does the trick.

Any activity concerning these registry keys should be consider suspicious.

Full story here: youtu.be/7MDHhavM5GM

Threat of TCC Bypasses on macOS - AFINE - digitally secure TCC on macOS isn't just an annoying prompt—it's the last line of defense between malware and your private data. Read this article to learn why.

Read more: afine.com/threat-of-tc...

#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines

#ThreatHuntingTipOfTheDay: rundll32 can be abused in many ways lolbas-project.github.io#t1218.011

Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?

Look for rundll32 with # on the command line to find out

UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!

#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)

🔍 Hunt for paths with trailing spaces - highly sus

Bonus background reading: why do hidden files start with a dot on Linux?

💠 glenda.0x46.net/articles/dot...

#HuntingTipOfTheDay: you’ll know that in Linux, files with a leading dot are hidden by default. Attackers may use this to hide payloads or frustrate forensics. Although sometimes used legitimately, you may find unexpected entries when looking for EXECUTIONS of hidden files.

#HuntingTipOfTheDay: a personal favourite, command-line obfuscation. Substituting or inserting special Unicode characters might allow attackers to bypass string-based detections. Look for command lines with unusual Unicode characters. Checkout ArgFuscator.net for more fun!

#HuntingTipOfTheDay: macOS has a built-in SSH mechanism that is disabled by default. Would you detect it if someone enables it and logs in remotely? Look for remote login events, and investigate the associated session.

Save the Environment (Variable) By manipulating environment variables on process level, it is possible to let trusted applications load arbitrary DLLs and execute malicious code. This post lists nearly 100 executables vulnerable to…

More about this technique: www.wietzebeukema.nl/blog/save-th...

#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.

#HuntingTipOfTheDay: explorer.exe /root,"c:/your/executable.exe" will spawn your exe from the main explorer.exe, not a new one. This breaks normal process chains. Hunt for explorer.exe with "/root", as well as explorer spawning unusual children (e.g. rundll32, mshta, powershell).

#HuntingTipOfTheDay: a common way to execute malicious code on Linux is to download a script via curl/wget and pipe the result into a shell process like bash. Hunt for curl/wget executions followed by an interactive shell within seconds, both having the same parent process.

#HuntingTipOfTheDay: You have probably heard of .bash_profile and .zshrc, but are you familiar with PowerShell's version of it? Attackers might use this for persistence; monitor modifications of profiles by unexpected processes, and analyse existing files for anomalies.

#ThreatHuntingTipOfTheDay: Malicious DMGs/PKGs are currently the most popular way for macOS infostealers to get foothold. Use macOS’s kMDItemWhereFroms extended attribute to see origins of downloaded DMG/PKGs; investigate ones that are rare across your IT estate.