Your phish lands on a host. What is the first thing you do?
(If 4 answers aren't enough, reply below)
Congrats. It’s Win 7 and you now have 2 plaintext passwords. One looks like a Domain Admin account!
You attempt to move laterally to another host with the DA password. Access Denied.
What?
Try again.
Access Denied.
Try again!
2/10
The target org doesn’t have any single factor externally facing services. You need to prompt for 2FA, so you go to work building a UI to prompt for the one time passcode.
3/10
Hmm. You try resending your phish to other victims, but your pixel trackers suggest they’re not even landing at all in any inboxes. Your mail service says they were delivered, though.
4/10
Running Mimikatz tripped a silent alarm, which took 7 minutes to get SOC attention.
The DA password was a simple fake (invoke-honeyaccount). The password wasn’t real. The account has SOC alerts anytime it tries to login.
6/10
7/10
8/10
9/10
10/10
You saw a nifty tool the other day on a blog. It generates a dialog box that looks similar to the Windows security UI, prompting for passwords. You decided to use it. It's convenient and execute as in-memory PowerShell.
1/18
Response came back: empty string. No password. What happened?
You try on your VM. If the user clicks the "x" it just exits and returns an empty string password.
Try it again.
2/18
You go look at the source code. You're a great Googler. A few minutes later, you found a Stack Overflow article showing you how to disable the "x" button. You repackage and send it in.
3/18
No way that's the password. You attempt to verify it; result: authentication failure.
You go back to the source code. A few more Stack Overflow articles, you have a version that won't exit until it gets a password that actually works.
4/18
You attempt to verify it; result: authentication success. It's legit. Your code works.
Now, what to do with it?
5/18
Then ...
You noticed your shell stopped calling home.
6/18
You didn't look where you landed or what was running. You didn't notice the EDR product running or the fact that it was PowerShell v5 with central logging turned on.
8/18
9/18
10/18
11/18
12/18
IR finishes a quick check to ensure no other machines on the network are talking your C2 domain. Nobody was.
13/18
14/18
15/18
16/18
Red Teaming can be hard.
17/18
That's ok, this isn't a failure; it helped them improve processes, policy, and detections, but you didn't hit your objective. Not even close.
There's always next time.
THE END
18/18
How do you do it?
How do you do it?
"I don't know, however beacon does it" 🤣
You run "ipconfig": 10.42.98.19
Then you run "whoami": CORP\Bob
Then you run "whoami /groups": no, Bob is not a local admin, but he does belong to several Accounting groups.
Then your connection drops! What happened? "Maybe Bob just shut his laptop" you say to yourself.
These commands have been around since the beginning of the command line, and you can execute them in your sleep, which is what you must have been, because you didn't notice endpoint controls running on this host.
Your client takes this as validation that their EDR product and hunting processes worked, so it's not a _completely_ wasted effort.