📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Lateral Movement

Internal Spearphishing

ID: T1534 Tactic: Lateral Movement

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase likelihood of tricking the target into falling for the phish attempt.

Adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internet spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process. The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times(FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.

Examples:

Currently being worked on once AD is all set with user's but this is pretty obvious you have an internal user, and you send email's internally.

PreviousRemote DesktopsNextWindows Admin Shares

Last updated 5 years ago

Was this helpful?