Conducting a targeted phishing exercise against a company? Most likely, this company has job openings posted on an external job site ripe for picking. Resumes are typically in PDF or .Docx form, both of which are great for delivering payloads. Adobe has a plethora of vulnerabilities with publicly available exploits, so if you know what version Human Resource (HR) recruiters at your target company are using, you may take this route. However, this post focuses on sending a malicious Microsoft Word Document with a batch+PowerShell reverse shell payload included.
- Find open position at target company
- Find email address(es) of HR employee(s) at target company
- Create the perfect resume for the position in Microsoft Word
- Generate PowerShell Empire batch launcher payload
- Include and disguise .bat file in resume document
- Email resume to HR employee(s) and submit to online portal if available
- Wait for the sh3llz
Step 1 - Find Open Position
This is self explanatory. Search online for open positions at your target company. Find one that you have enough knowledge to create a resume for. My personal favorite is to apply for IT Security positions because I already have a generic resume built for such.. and because I really love subtle irony in phishing tests.
Step 2 - Find email address(es) of HR employee(s)
LinkedIn. This is all you should really need. Simply go on LinkedIn, maybe have a fake profile and look like a reputable applicant, and find people listed as 'Talent Acquisition Specialist', 'Recruiter', or 'Human Resources' at your target company. Once you have their name, simply look on their public website for email addresses disclosed. Those email addresses should provide the format that our recruiter's email will be. For example, if the target company is Foobar.com and on their website a VP's email address is disclosed "John Doe, [email protected]", we now know email addresses for other employees will likely be in the format
Step 3 - Create the perfect resume for the position in Microsoft Word
This is the MOST important step. Make a resume using key details from the job posting. Create a few fake jobs. Maybe even use a few details from your personal career (I mean, this testing is supposed to be approved by the company, so who cares if details point back to yourself). The resume MUST be believable, as you are trying to trick a target into also opening/running a batch file embedded within the document. I like to include a line stating that the resume 'has an interactive' or 'creative' piece to it that can be found in the additional included document. This works especially well if your application is for a software/website/media developer position.
Example resume (payload included):
Step 4 - Generate the Payload
In this step, we use PowerShell Empire to generate a batch file which in turn executes a PowerShell command that establishes a connection from our victim machine back to our attacking machine. At the time of writing this post, most signature-based AntiVirus programs are not catching Empire reverse shell payloads.
To generate the payload...
- Download and install PowerShell Empire (https://github.com/adaptivethreat/Empire)
- Setup a PowerShell Empire HTTPS listener (you could use HTTP, however encrypted traffic = higher likelihood of circumventing IDS/IPS)
- Generate a payload using stager launcher_bat
- Grab the generated batch file and rename it to something that fits within your pretext, such as 'interactiveresume.bat'
Note - this post is not a tutorial on how to use PowerShell Empire, hence the brevity. To learn how to configure a listener, generate a payload, and work with agents, see https://www.powershellempire.com/
Step 5 - Include and Disguise Payload
In this step, we take the batch file and place it into our resume using Microsoft Object Linking and Embedding (OLE). Once inserted, we can change the icon to appear like another Word or Excel document. Credit for the OLE idea goes to enigma0x3, discovered on his blog (https://enigma0x3.net/2016/03/15/phishing-with-empire/). To insert the payload..
Open the "Object" pane under the "Insert" tab in Microsoft word. Once in the "Object" pane, do the following:
- Select "Microsoft Word Document"
- Check "Display as Icon"
- Click "Change Icon" and copy the icon directory path that appears (makes life easier in the remaining steps)
- Close out of the directory selection and change tabs to "Create from File" within the "Object" pane
- Click "Browse" and include your batch payload
- Select 'display as icon'
- Select 'change icon'
- Paste the path copied in step 3 to get to the icon directory and select your icon.
- Click okay
Viola, we should have a batch file included in the Word document, disguised as another Microsoft Word document. When opened, it will prompt the user to 'run', but often this is overlooked as a security issue and performed by users. Once the victim clicks run, you should receive an Empire shell on their host!
Step 6 - Email and Submit Resume
If the job application website allows for you to submit the entire Word Document as an attachment (i.e. doesn't convert it all to a quick text format), do such. The recruiter will expect to see your submission through their portal. If not, still submit as an applicant through the portal and then send a follow-up email to their email address. In this follow-up email, state the position being applied for, why you are sending them a direct email (resume could not upload to the portal), and ask them to review the interactive portion of your resume (the payload!). For example...
Step 7 - Wait for Sh3llz
As mentioned, if they open the document and then click 'run', you get a PowerSploit shell! This method can also be used with Macros, which are easier to trick users into enabling (in my opinion) but are more commonly blocked by email filters due to their increased use/popularity for delivering Ransomware and other payloads.
As always, if you have any questions or comments for this post, leave them below!