Guides and Reference
- The Hacker's Playbook 3: Social Engineering - pg. 174
- Social Engineering: The Science of Human Hacking - Christopher Hadnagy
- Advanced Penetration Testing: Advanced Concepts in Social Engineering- pg. 194
- Hacking: The next generation - Infiltrating the phishing underground: learning from online criminals, pg 177
- Phishing - “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” (Hadnagy, Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. Wiley, 2015).
- SMiShing - “the act of using mobile phone text messages, SMS (Short Message Service), to lure victims into immediate action. This action may include downloading mobile malware, visiting a malicious website, or calling a fraudulent phone number.”
- OSINT - The research performed on the target using Open-Source Intelligence tools. This phase does not interact with the target in anyway.
- Social Engineering: Christopher Hadnagy - pg.17
- Pretext Development - This is where an attacker develops their reason for initial interaction.
- Attack Plan - Planning out the Who, What, When, Where, Why, and How of the attack.
- Attack Launch
- Reporting - The full details of the attack. This is crucial for a client to understand all that was done and what they need to improve their defenses.
Guides and Methodology
- Muraena - Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
- catphish - Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. Perfect for Red Team engagements.
- TigerShark - Bilingual PhishingKit. TigerShark integrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Guides and Resources
- Advanced Penetration Testing: Learning how to use the VBA macro - pg. 5
- Advanced Penetration Testing: VBA Redux, Alternative Command Line Attack Vectors- pg. 116
- Advanced Penetration Testing: Deploying with HTA - pg. 138
- DDE Dynamic Data Exchange - Sends messages and data between applications
- The Hacker Playbook 3: Maldocs - pg. 178
- Remember to change .docm extensions to .doc
- Give the end user a compelling reason to enable macros.
- Tailor the attack to the client. Gather information with a mass email and get an OOTO response to get a template for the interna email style
- Embeded macros in Microsoft office documents
- Run test file against VirusTotal to check for ease of detection
- Review “Tags” section for offending tags that set off signature matches
- Often AV will only scan the main body of the code and NOT the declaration section.
- Use an alias for a function import to get around this.
- Avoid Obvious use of shellcode
- Functions that will most assuredly get flagged: VirtualAlloc, RtlMoveMemory, Shell, URLDownloadToFile, and CreateThread
- Automatic execution in macros
- Three deifferent methods depending on which format you are using: word, excel spreadsheet, or excel workbook
- Often all three are enabled when auto code execution is enabled.
- Reduce to 1 or 0 depending on what you need to reduce chance of detection.
- Using a VBA/VBS Dual Stager
- While VBA is used exclusively in Office products, VBS is used to perform other tasks outside of office, therefore it is given more freedom of execution.
- Deploy a VBA macro containing VBS code
- Two separate scripts, one VBA and one VBS
- Code obfuscation
- Encoding script with possibilities such as Base64 and XOR and have it decrypted at run-time