Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is the first in a five-part series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our report, “Under the Hoodie 2018: Lessons from a Season of Penetration Testing.”
Electronic social engineering engagements often vary from client to client, and Rapid7 works diligently to ensure testing simulates threat actors that clients are most worried about. For this particular story, I worked with the client to craft an engagement that would evaluate their employee and technology preparedness against a sophisticated, targeted phishing and vishing attack. Incidentally, this sort of thing is my favorite type of assessment.
First three steps? Reconnaissance.
There is no such thing as too much attacker reconnaissance. Employees were selected based upon their role, look-alike domains were registered, and external portals were cloned to simulate the company. Finally, phone-based reconnaissance was conducted against the help desk to determine the available payload phishing attack surface (aka what endpoint protections were in place).
What came of 70% reconnaissance and 30% crafting was a cloned Proofpoint Secure Email Portal using the company’s branding. Behind a fake authentication page was a “secure” email from human resources and a Microsoft Excel document that tempted staff with “employee salaries.” After all, who wouldn’t want to take a peek at what their peers are making? The Excel document was thoughtfully crafted with a payload abusing Dynamic Data Exchange (DDE) functionality that executed CertUtil.exe to download additional commands to run.
Previous reconnaissance against the help desk revealed that application whitelisting was in place, as well as a policy to prevent employees from executing PowerShell.exe. To bypass these protections, Rapid7’s payload echoed C# code into a .cs file and compiled it locally into an executable using CSC.exe, a tool within the .NET framework.
The executable relied on the System.Management.Automation library to execute PowerShell commands without calling PowerShell.exe. Additionally, the executable was designed with an installer class that allowed it to be executed by InstallUtil.exe, a Microsoft-signed binary. In the end, I had a payload that bypassed the company’s application whitelisting and PowerShell.exe restrictions. Now, all that was required was sending the email to a target who would be willing to enter their credentials into a cloned portal, be curious enough to download a list of employee salaries “mistakenly” sent to them, and then click “Enable Content” and two more warning prompts in Excel to reveal the fake employee salaries.
I sent a phishing email with a link to the cloned site to four senior-level employees in different departments, indicating that a secure email from human resources was available in the Proofpoint portal. Within 15 minutes, one employee opened the portal and entered their credentials.
However, a request was never made to download the Excel document. Instead, a reply was sent to my misspelled HR email address indicating that the email must have been a mistake, as they should not have access to employee salary information. Good for the employee—they were honest and considerate. Now, how could this be abused?
Thinking on my feet, I quickly created a fake email chain between the HR email account and a newly created, fake third-party law firm that asked for guidance on how to handle an accidental breach of sensitive employee data. Once the email chain looked legitimate, I replied to the targeted employee from the third-party legal team email. Indicating that this (fake) employee was working on behalf of the HR department, I sent over a confidentiality document to ensure the information received by the employee was kept confidential. The employee replied that while they did not open the spreadsheet, they were willing to sign the document. Perfect. Now to craft a new payload to fit this new pretext.
When opened, the HTA presented a full screen on the employee’s workstation including company logos, verbiage requesting the employee delete any confidential data received, and confirmation that the employee did not share data with anyone else. A text field was included for the target employee to enter their name as an electronic signature, along with a “Submit” button that caused the HTA to minimize and remove itself from being displayed on the taskbar.
Within minutes of sending the “legal document” to the employee, I received a Meterpreter shell on the employee’s workstation that provided command-line access to the host and a route into the company’s internal network.
In the end, honesty killed the cat, not curiosity. While it was exceptionally hard for the employee to spot this attack chain, additional application whitelisting and better behavior-based detection and prevention controls could have prevented the payloads from executing. A list of known Microsoft-signed binaries used by malicious actors to bypass controls can be found in the deployment guide for Application Locker and Windows Defender Application Control on Microsoft’s website.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check out "This One Time on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable Network."