Upon being able to contact the target and sound legitimate, we should be able to have a binary executed through persuasive and undetectable techniques. Below we discuss some of these techniques:
PowerPoint presentation with embedded .exe
A legitimate and undetectable by AntiVirus method to deliver an executable (if the executable itself is undetectable of course), is by embedding an object to a PowerPoint presentation. However, it only works on MS Office 2007 and earlier versions, but not on MS Office 2010 or 2013.
On the 1st slide of the presentation we take the following steps:
Tip: Draw something on the 1st slide and “send to back” the created object so it is not visible when the presentation is opened by the target.
After creating the object we should configure it to execute immediately when someone runs the presentation (if the target clicks “Run”), as described below.
Afterwards, we test if everything is working properly by renaming the presentation to .pps and running it. A prompt which requires us to authorize the execution should appear and if we click “Run” the executable file will run.
The last thing we have to do is to create a nice looking 1st slide (the title of an “internal” presentation with colors and styles similar to the target company is a good choice) and also create a 2nd slide which will tell the user that he can’t see the presentation if he doesn’t run the executable.
An MS Word file can be trojanized with shellcode in the form of a macro. The shellcode can be encoded by Metasploit’s Powershell Base64 Command Encoder (cmd/powershell_base64) and then outputted to VBA format. This technique is currently undetectable by most AVs, provided that the shellcode itself is undetectable. However, it is possible to bypass all AVs by changing the macro manually.
After encoding the shellcode using the “cmd/powershell_base64” metasploit module, we execute the following commands.
$ cat shellcode.bin | msfencode -t vba > macro.txt
$ cat macro.txt #If Vba7 Then Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal ….. ……… ……… Sub Workbook_Open() Auto_Open End Sub
When the document is opened by the target, he will be notified that “Macros have been disabled” by a security warning bar. It is crucial to trigger target’s curiosity in order to bend his will and make him enable macros. To achieve that, the content of the document should involve legitimate information that has been harvested passively from various sources and advertise something extraordinary e.g. salary bonus etc.
It is possible to add windows User Account Control (UAC) awareness to any windows executable. Making the executable UAC-aware may prove to be essential in specific cases where the target is a local administrator, but UAC is set to the highest level. Metasploit’s “bypassuac” module will not work when UAC is at the highest level. Furthermore, Metasploit’s “ask” module requires having an active session established and it will also ask for the Administrator password in case the user does not have local administrator privileges. If we choose to make the executable UAC-aware we prefer giving it the “highestAvailable” privilege and not “requiredAdministrator”, unless we want to compel the target user to call the administrator and request him to fill his password in order to gain administrator access. We may make a UAC-aware executable by either following the steps of the article below, or through Visual Studio.
Evading blocking technologies
Blocking technologies include AntiVirus and EndPoint software, IDS/IPS, Proxy/Web Filtering, Firewalls with deep packet inspection etc. Regarding AntiVirus evasion techniques we will make a dedicated blog post soon.