Since Microsoft announced that Office applications will block macros from the Internet, adversaries have adapted their initial access techniques. This lab will walk through ****analysis of one of these techniques: LNK files with an embedded decoy document and a payload.
We will run some analysis using Velociraptor, then consider methods to detect at scale.
VM with internet access and Velociraptor available on the desktop to run as per Lab: GUI mode walk through
Open cmd, browse to desktop and run: velociraptor .exe gui --datastore=./VRdata -v
The Velociraptor GUI is configured to open automatically upon boot, but the credentials are available below:
https://127.0.0.1:8889/adminpassword👈 To go back, tap the link at the top left, or swipe from left to right across your screen.