5. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
DNS
Dev
Clients
Corp
10.133.48.0/23
10.133.255.254
10.133.50.0/23
10.133.150.0/23
The Network
AMacker
6. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Delivery Examples
• Email, generic ‘campaign’ or targeted attack (spear phishing)
• SMS (Smishing) / Voice (Vishing)
• Web based (malicious/hacked website)
• Malvertising
Phishing – Delivery & Payloads
8. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Phishing – HTA Files
<script language="VBScript">
window.moveTo -4000, -4000
cmd = "powershell.exe -c Test-Connection 10.133.251.1xx"
Set runme = CreateObject("Wscript.Shell")
result = runme.Run(cmd, 0, true)
window.close()
</script>
Set to hidden
The command we are executing
Wait for command to complete before
con2nuing
9. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Unicorn
• TrustedSec https://github.com/trustedsec/unicorn
• Simple to use, well documented and regularly updated with new
techniques/evasion methods
• Various payloads rely on msf handler listening on aMacking system (all
required configs generated by the tool)
10. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Creating a Campaign
Gophish
• Targets (Users & Groups tab)
• Email template
• Landing page
• Sending Profile
hMps://docs.getgophish.com/user-guide
13. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Sysmon
• Part of Sysinternals suite
https://docs.microsoft.com/en-
us/sysinternals/downloads/sysmon
• Configuration file can be supplied (-i)
containing desired rules
• Great template config from @SwiftOnSecurity
https://github.com/SwiftOnSecurity/sysmon-
config
14. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Beats Agents
Packetbeat
• Lightweight packet analyser to send data to Elasticsearch / Logstash
• Configuration (Windows) – generate a configuration file, install the packetbeat
service (PS script included with package)
• Configured on select targets in the LAB
https://www.elastic.co/products/beats/packetbeat
15. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Beats Agents
Winlogbeat
• Ship Windows event logs to Elasticsearch / Logstash
• Configuration (Windows) – generate a configuration file, install the winlogbeat
service (PS script included with package)
• Configured on the Windows clients and servers in the LAB
https://www.elastic.co/products/beats/winlogbeat
16. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Monitoring & AlerFng
Kibana - web-based frontend to allow real-
time, visual analysis of collected data in
Elasticsearch
Elasticsearch – based on Apache Lucene, a
NoSQL (JSON based/document store
model) database
Logstash – a tool to intake, process and
output log data from various sources
Elas2csearch Logstash Kibanna (ELK)
17. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Phishing IOCs
• In this example we’re focusing on HTA delivery
• Hence, mshta.exe is interes2ng to us…
beat.hostname : "<$target>" AND event_data.ParentImage : "mshta.exe"
• But, in reality, we may want to be a bit more thorough and check for
‘interes2ng’ processes spawning, excluding those from explorer.exe
• Enter LOLBAS - hMps://lolbas-project.github.io/#
19. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Phishing IOCs
beat.hostname = ”<$target>" AND (_exists_: event_data.ParentImage AND NOT
event_data.ParentImage: explorer.exe) AND (event_data.Image: Atbroker.exe OR
Bash.exe OR Bitsadmin.exe OR Certutil.exe OR Cmdkey.exe OR Cmstp.exe OR
Control.exe OR Csc.exe OR Cscript.exe OR Dfsvc.exe OR Diskshadow.exe OR Dnscmd.exe
OR Esentutl.exe OR Eventvwr.exe OR Expand.exe OR Extexport.exe OR Extrac32.exe OR
Findstr.exe OR Forfiles.exe OR Ftp.exe OR Gpscript.exe OR Hh.exe OR Ie4uinit.exe
OR Ieexec.exe OR Infdefaultinstall.exe OR Installutil.exe OR Makecab.exe OR
Mavinject.exe OR Microsoft.Workflow.Compiler.exe OR Mmc.exe OR Msbuild.exe OR
Msconfig.exe OR Msdt.exe OR Mshta.exe OR Msiexec.exe OR Odbcconf.exe OR Pcalua.exe
OR Pcwrun.exe OR Presentationhost.exe OR Print.exe OR Reg.exe OR Regasm.exe OR
Regedit.exe OR Register-cimprovider.exe OR Regsvcs.exe OR Regsvr32.exe OR
Replace.exe OR Rpcping.exe OR Rundll32.exe OR Runonce.exe OR Runscripthelper.exe
OR Sc.exe OR Schtasks.exe OR Scriptrunner.exe OR SyncAppvPublishingServer.exe OR
Verclsid.exe OR Wab.exe OR Wmic.exe OR Wscript.exe OR Wsreset.exe OR Xwizard.exe)
22. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Alternate Data Streams
• An ADS allows one file system entry to contain mul2ple data sets (NTFS only)
• Original file is always the ‘main’ stream, addi2onal streams are colon delimited
File.txt File.txt:secretdata.txt:$DATA
File.txt:shell.exe:$DATA
• One op2on to trigger – wmic process call create File.txt:shell.exe
• A nice ar2cle by Oddvar Moe on execu2ng files from ADS
hMps://oddvar.moe/2018/01/14/pupng-data-in-alternate-data-streams-and-how-
to-execute-it/
23. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Scheduled Tasks
• Scheduled tasks can be leveraged to an aMacker’s advantage
• At boot, logon, event, worksta2on lock/unlock etc.
• Non-admin users can create tasks (within permission boundaries)
• Combine with an ADS?
25. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Binary ExecuFon
• AppLocker (default rules) prohibits binary
execution for standard users in several
places
• Default rules allow various locations under
C:Windows and System32
• https://github.com/api0cradle/UltimateAp
pLockerByPassList/blob/master/Generic-
AppLockerbypasses.md
26. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
ExfiltraFng Data Over ICMP
• ICMP doesn’t use ports and is often left enabled, forgotten and
unmonitored
• Overcomes network egress issues when usual channels are blocked
• icmpsh is a reverse ICMP shell - https://github.com/inquisb/icmpsh
• Server works in C, Perl, Python, client is Win32
• Need to disable ICMP replies from attacking host before starting server
sysctl -w net.ipv4.icmp_echo_ignore_all=1
27. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
ExfiltraFng Data Over ICMP
Dev
Clients
Corp
Attacker
10.133.48.0/23
DNS
35. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
ExfiltraFng Data Over DNS
I’m looking for attacker1.domainname.xyz,
do you know of this host?
Recursive ServerVic2m
36. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Exfiltrating Data Over DNS
1. Hi, can you give me the TLD of .xyz?
2. Sure, try 123.123.123.124
Root Server1
2
Recursive ServerVic2m
37. Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Exfiltrating Data Over DNS
3. Hi, can you give me the server address of
domainname.xyz?
4. Sure, this host can be found at 66.77.88.99
TLD Server
3
4
Root Server1
2
Recursive ServerVictim
38. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
Exfiltrating Data Over DNS
5. Hi, i’m looking for the host
aMacker1.domainname.xyz, can you give me
the IP please?
6. Sure, this host is at 1.10.100.1
Name Server
5
6
TLD Server
3
4
Root Server1
2
Recursive ServerVictim
39. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
ExfiltraFng Data Over DNS
The host you’re looking for can be found at
1.10.100.1, have a nice day!
Recursive ServerVic2m
40. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
Exfiltrating Data Over DNS
(Simple Proof of Concept)
• A handy resource - hMps://www.notsosecure.com/oob-exploita2on-cheatsheet/
41. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
Exfiltrating Data Over DNS
DNS
Dev
Clients
Corp
10.133.48.0/23
10.133.255.254
10.133.50.50
Attacker
42. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
<DNS DEMO>
Coming up shortly…
44. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
DNS IOCs (A Visual RepresentaFon)
• 1st IOC is based on a total count of ETLD requests over a defined time
period
45. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
DNS IOCs (A Visual RepresentaFon)
• 2nd IOC counts the ETLD requests and splits these into a series of
ques2on (query) names
NOT (dns.question.etld_plus_one : <$current_domain> OR *<$rev-zone>.in-
addr.arpa)
47. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
Phish
Monitoring
ICMP Exfiltration
Monitoring
DNS Exfiltration
Monitoring
48. Phishing & OOB ExfiltraFon
Through Purple Tinted Glasses
Key Takeaways
• Knowledge of common opensource toolsets to aid with internal tes2ng of
phishing with PowerShell based payloads
• Windows binaries for ‘living off the land’ and relevant IOC filters for Kibana
• Using Kibana to generate graphical charts that can be used to easily iden2fy
real-2me data exfiltra2on over various channels
• Details of common Opensource tools that can be used in aMacks/defense
simula2ons to aid in improving skills and awareness
• Improving an overall awareness of data exfiltra2on methods using non-
conven2onal channels