.. /.Url

Phishing
Double Click

Contributors:

mr.d0x

Description:

URL files are shortcuts for the browser and can be used to open a URL. Just like LNKs, URL files can include an icon to display for the file and that can be leveraged for NetNTLM hash harvesting.

OS:

Windows

Recommendation:

“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.

Resources:

https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
https://cofense.com/latest-software-functionality-abuse-url-internet-shortcut-files-abused-deliver-malware/

File Samples: