Offensive Phishing

by Vince
in Blog
Hits: 379

We run phishing campaigns for awareness training but we also use phishing as an attack vector.  In some instances, if we phished credentials, we would call that a success and move on.  In other cases, we would want to actually breach the environment through phishing.  If we look at MITRE, we're going to see a lot of different techniques using attachments, Word and Excel are popular.  I'm going to use an HTA file which can be constructed without the need for Microsoft Office.

When we look inside the HTA, we see some scripting and then we see the meat, our PowerShell:



Basically, I'm hosting a Covenant Grunt on my attacking server and I'm calling it from the HTA.  

If we were to attachment this file directly, we'd run into an issue:



The simple solution here is to zip up the file:



Because I want to perfect what I'm trying to accomplish, I've automated the user portion of this phishing campaign.  I have a VBA script that will move the attachment into a specified folder from the email:



I also have an Outlook Rule which executes that VBA script when a message with an attachment is received:



Continuing with my automation, I have a scheduled task that unzips the attachment and executes the HTA file:



Once the HTA file is executed, we see our Grunt appear in Covenant:



With everything automated, I can focus on, and perfect, my attack.  Although this might seem excessive, phishing is still a very popular attack vector.  Showing the type of damage that can be done with a little bit of effort helps us explain the value of a real awareness program.