In the real world, systems have endpoint protection installed and a lot of the tools we'd like to drop on the system will get detected.  Loading in memory is definitely an option but let's say we want to drop some tools onto the file system.  One option is to look at what is installed to hopefully find a product that has endpoint exclusions.  For example, Desktop Central from Manage Engine requires exclusions and if we can use that directory for our files, we can evade endpoint protection.

    For our test, we're going to use the EICAR test file.  Some background in case you're unfamiliar with this test file:  ' The European Institute for EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that is detected as malware by antivirus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". ' 


    I mentioned this in a previous post but we are seeing a large increase in phishing attacks from known sources.  In other words, phishing attacks are coming from your friends, colleagues, and vendors.  You trust these sources and you are likely to drop your guard more so than when say the Nigerian Prince email makes its way into your inbox.  Obviously, if someone falls for the phish, this campaign lives on and that's how future attacks occur.  But how does the original attack get legs underneath it?  First, let's start with the phish and work our way backwards.


    The description states:  "This boot to root VM is fully a real life based scenario. It has been designed in way to enhance user's skills while testing a live target in a network. Its a quite forward box but stay aware of rabbit holes.

    There are quite a few directions this could have gone and I'm not sure I took the intended route, especially with the entry.  I feel like I found my foothold and just plowed on through it.  In general, I would say this is an easy box but you need the skills to setup an application outside of the vulnerable machine to use in my exploitation route.  That will make more sense shortly. 


    This is from the latest releases on Vulnhub but it does not have a description.  I think this box was either on the TryHackMe platform or maybe it was accepted to that platform.  The flags are the giveaway and due to their specific look, I don't think it's a coincidence.  Anyway, moving on...

    We kick off with Nmap:


    The description for HTTrack states:  "HTTrack is an offline browser utility, allowing you to download a World Wide website from the Internet to a local directory, building recursively all directories, getting html, images, and other files from the server to your computer."

    We have more nefarious purposes like cloning sites for phishing awareness campaigns but regardless, the outcome is still the same.  HTTrack is a decent tool for quickly cloning a site.  It's fairly simple to use and once it's installed, we launch it by executing:  httrack


    We are seeing a ton of email account compromises that are from known sources.  In other words, a vendor, a customer, or an acquaintance, gets compromised.  Frequently, the attacker will reply to an existing email thread from the known source  to you and they will add an attachment or a link.  In that latter scenario, the link is typically leading to a fake credentials page.  This type of attack is so common that we're seeing it several times per week.  It will only get worse. 

    With the credentials attack, two-factor authentication (2fa) will typically stop this in its tracks.  You can steal credentials all day long but bypassing 2fa is a much bigger challenge.  And honestly, it's not worth it to the attacker unless the victim has been specifically targeted -- typically not the case.


    Page 3 of 63

    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.