This might come as a shocker to you (irony), but cyber-criminals use e-mail to attack your users. I feel that client security is something that is often overlooked and IT-pros tend to focus on securing the servers rather than focusing on what is possible to do from the clients within the company network. If you think like a cyber-criminal, you will agree that the easiest way to gain access to the internal network of a company is through the end users. An attack that is always detected is the Cryptowall/Cryptolocker malware. The reason this is detected is because the malware is designed to be detected. When I say detected, I mean that the goal of the malware is to lock/encrypt the computer and demand money from the user to unlock/unencrypt it. So, what if the attacker did not want to lock/encrypt the computer, but instead wanted to use it as jumping point into your network? Would you detect it? Probably not. So, what I am saying is that these kind of attacks happens and most of the companies does not detect this. If a Cryptolocker/Cryptowall malware was able to get inside undetected, how would you detect other kind of attacks?
What I want to show in this blogpost is a simple, but very efficient way of getting inside the network of a company. This attack relies on that the users will actually click, but let’s be honest – They will. I will also explain how to prevent this.
You will need 3 machines in order to demonstrate this attack.
- You will need a machine that will wait for incoming connections – I use a Kali virtual machine and can be downloaded from here: https://www.kali.org/
- And you need a machine to generate the attack. For this I use a standard Windows machine with Office installed. This could be Windows 7/8/8.1/10. For the office installation it requires Office 2010 or newer. I will also use this following script:
https://raw.githubusercontent.com/api0cradle/Generate-Macro/master/Generate-Macro.ps1 (This is my modified version of a script created by Matt Nelson’s (@enigma0x3)) This script is used for generating an excel spreadsheet with a malicious macro.
- A third machine is the victim. This needs to be a Windows 7/8/8.1/10 with Office 2010 or newer.
I will walk you through the steps of the attack. First we need to setup a listener, so start your Kali machine and log on. I prefer to use Armitage so launch it by clicking on the icon.
Navigate to “Payload – Windows – Meterpreter” in the left menu and select reverse_https:
Open it by clicking on it and use everything default except for the LPORT. Set it to 443 and hit launch. If you are going to do this over the internet the machine needs to be directly connected to internet or at least have port forwarding of some kind. That is however something I will not cover in this post. If everything worked out correctly, you should now have a service listening on port 443 on the Kali machine.
Next we need to logon to our Windows machine that we will use to generate the attack. This machine has office and the Generate-Macro.ps1 script. I will walk you through the steps of the script.
- Open an elevated Powershell window and start the script. If the executionpolicy restricts script you will need to disable it.
- The script will ask for where to locate the Invoke-shellcode script. I have a forked version of PowerSploit and my version is located here: https://raw.githubusercontent.com/api0cradle/PowerSploit/master/CodeExecution/Invoke–Shellcode.ps1
- Next it asks for the IP address, here you will have to type in the IP of your attacker machine (Kali) – In my example it is 192.168.0.66
- The it asks for the port number in this post we have used 443 as the listener, so type in 443.
- Then it asks for a document name. You can typically type in “Budget2015” or something.
- Now you need to specify what sort of attack. In this example I will choose number 1. Just type 1 and hit enter.
- Next is the payload. Here we choose https. Type 1 and hit enter again.
- You should now have an Excel spreadsheet located on the desktop.
The excel sheet is pretty basic right now. It only contains the necessary macros to perform an attack. If you really want to fool a user, you will need to change the Excel spreadsheet so it looks legit. You could for example write a budget example and in a lot of the data fields you could type in “Activate Macro to get budget updates” and of course include a logo or something.
The next thing you need to do is to move the spreadsheet to the victim computer and open it (This would normally be sent by mail). When the user opens the spreadsheet it asks if it should enable macro content:
The moment you click enable Content the machine will connect to our listener on the Kali machine and we will have a shell. All of the PowerShell code that is inside the macro loads from Internet directly into memory and never touches disk. This will probably prevent most antivirus programs from triggering.
A quick video of the attack:
In real life this sort of spreadsheet would be sent to your users and it would contain interesting data and the sender could appear to be a co-worker or the boss of the company. This is typically a target attack.
The big question is how to prevent this. For starters I would set the macro security on all machines to prevent unsigned macros. This can be set in group policy: http://blogs.technet.com/b/diana_tudor/archive/2014/12/02/microsoft-project-how-to-control-macro-settings-using-registry-keys.aspx
The other and probably more important thing is to prevent PowerShell either by using AppLocker (https://www.sixdub.net/?p=367) or using JEA – Just Enough Administration http://blogs.technet.com/b/privatecloud/archive/2014/05/14/just-enough-administration-step-by-step.aspx (Also Jeffrey Snovers presentation of it: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B362 – Great video). And as always the user must not be a local administrator since they will always be able to override GPO settings (and the attacker). Group policy was never designed to administrate administrators.
The meaning of this blogpost is to show you how vulnerable your clients are. Client security is often overlooked and it should not be ignored.Do something about it. This demonstrated attack is one example out many type of attacks.