Social-Engineering-Payloads: Collection of social engineering payloads
Social-Engineering-Payloads
This is a collection of generic payloads that I have used successfully for the red team and social engineering assessments. Any questions, comments, or concerns should be addressed to t3ntman@gmail.com or @t3ntman on Twitter.
Download
git clone https://github.com/t3ntman/Social-Engineering-Payloads.git
Usage
“Browser Check” Campaign
Pretext
The pretext for this campaign is that the company is requiring all employees to run their “browser check” due to recent vulnerabilities identified in several web browsers. This “browser check” will scan their system for these vulnerabilities.
Payload
The payload for this campaign is an HTML Application (HTA) that uses VBScript to implant the system. Using a PowerShell one-liner (like those generated with PowerShell Empire and Cobalt Strike) is preferred. HTA payloads are nice because they are executed using the Microsoft-signed mshta.exe binary.
Setup
- Move browsercheck.hta to the server’s webroot.
- Edit <title>CLIENT HERE</title> on Line 3 of browsercheck.hta to reflect the company’s name.
- Edit ICON=”” on Line 15 of browsercheck.hta to reflect the company’s favicon.ico file (this should be downloaded from their main website).
- Edit strArgs = “powershell.exe” on Line 31 to reflect the PowerShell one-liner generated by PowerShell Empire or Cobalt Strike.
- Edit <p>Company’s main logo here</p> on Line 103 to reflect the company’s main logo. This will help add believability to the campaign.
Optional (but strongly recommended)
It is recommended to use a Content Management System (CMS) like WordPress that will serve an “instructions” page with a direct link to the HTA. This “instructions” page should provide instructions to the victim, and can include images if you see fit. This will help with domain categorization (BlueCoat, Palo Alto) if it’s manually browsed to.
FakeExcel
Payload
The payload is a custom executable that uses the Excel icon and Right-to-Left Override (RTLO) to mask as an Excel document. The payload makes a non-malicious HTTP GET request to a specified domain (could be modified for more malicious intent), and copies an embedded Excel document in the resource section of the PE to %TEMP%. The copied %TEMP%. file is then executed to not alarm the user.
Setup
- Open Visual Studio and create a new Console Application project. I called mine “FakeExcel” for this example.
- Paste the contents of Program.cs into the new project’s Program.cs.
- Change the domain string to the domain you want to make the HTTP GET request to.
- Change the temp_filename string to the filename you want to be created in %TEMP%.
- In Visual Studio, select Project, then Properties, and then Application. Change Target Framework to .NET Framework 3.5. Also, change Output Type to Windows Application. This will prevent a console window from appearing when the victim double-clicks the executable. Within this same tab, make sure to change Icon to the provided icon.ico file.
- In Visual Studio, select Project, then Properties, and then Resources. Select Add Resource to add an actual Excel document to the “Resource” section of the PE file. I called mine “test” so make sure you change the global::FakeExcel.Properties.Resources.test line in Program.cs to accurately reflect what you named the added resource.
- In Visual Studio, select Build, and then select Build Solution. Verify that everything builds successfully. Execute program to verify that your website receives the HTTP GET request.
- Take the compiled executable and use the following Ruby command to do the RTLO on the filename: ruby -e ‘File.rename(“FakeExcel.exe”, “2017 Salaries_tl\xe2\x80\xaexslx.exe”)’. This will create a file called 2017 Salaries_tlexe.xlsx, so change that to match your pretext.
