TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

How to Phish for User Passwords with PowerShell

BHIS · 2021-07-27 · Read original ↗

ATT&CK techniques detected

9 predictions
T1053.005Scheduled Task
97%
"##m3ly _ % 26ecure - p % 40ssw % 25rd % 23 % 5d " ) ' / desktop - s4daaf0 [ tokyoneon : #! extr3m3ly _ & ecure - p @ ssw % rd # ] ' credphish. ps1 execution to quickly test credphish, move the credphish. ps1 to the target windows 10 machine and execute it with powershell. a persi…"
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
95%
"with the dns exfiltration function, execute the dns _ server. py script in kali. press ctrl + c to terminate the dns server, and it will reconstruct the intercepted credentials in plaintext. another method of exfiltration built into credphish is the http request method. it levera…"
T1056.001Keylogging
86%
"and the $ promptmessage usually specifies the account associated with the request. # prompt $ targetuser = $ env : username $ companyemail = " blackhillsinfosec. com " $ promptcaption = " microsoft office " $ promptmessage = " connecting to : $ targetuser @ $ companyemail " $ max…"
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
68%
"user passwords, powershell ’ s resolve - dnsname for dns exfiltration, and windows defender ’ s configsecuritypolicy. exe to perform arbitrary get requests. below is an example of credphish in action. notice the credentials delivered to the attacker ’ s dns server immediately aft…"
T1041Exfiltration Over C2 Channel
60%
", the dns server will strip the hexadecimal subdomain to avoid creating dozens of error responses. in the below wireshark screenshot, notice the “ answers ” field no longer includes the subdomain and successfully resolves to one of google ’ s ip addresses. credphish. ps1 configur…"
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
59%
"and the data is sent to the attacker ’ s server — immediately. exfiltration methods as mentioned, dns exfiltration is the default method used to deliver passwords to the attacker ’ s server. the $ exfildomains list includes various domains used in dns queries and chosen at random…"
T1056.002GUI Input Capture
49%
"how to phish for user passwords with powershell how to phish for user passwords with powershell tokyoneon / / spoofing credential prompts is an effective privilege escalation and lateral movement technique. it ’ s not uncommon to experience seemingly random password prompts for o…"
T1048Exfiltration Over Alternative Protocol
47%
", the dns server will strip the hexadecimal subdomain to avoid creating dozens of error responses. in the below wireshark screenshot, notice the “ answers ” field no longer includes the subdomain and successfully resolves to one of google ’ s ip addresses. credphish. ps1 configur…"
T1048Exfiltration Over Alternative Protocol
47%
"and the data is sent to the attacker ’ s server — immediately. exfiltration methods as mentioned, dns exfiltration is the default method used to deliver passwords to the attacker ’ s server. the $ exfildomains list includes various domains used in dns queries and chosen at random…"

Summary

tokyoneon // Spoofing credential prompts is an effective privilege escalation and lateral movement technique. It’s not uncommon to experience seemingly random password prompts for Outlook, VPNs, and various other authentication […]

The post How to Phish for User Passwords with PowerShell appeared first on Black Hills Information Security, Inc..