Welcome to my newest series of phishing pretexts (with payload generation/usage included). This page serves as an overview and table of contents for the series. I’m no guru when it comes to social engineering, but there are a few tricks which I have had success with over time. Most often during phishing engagements the objective is to obtain remote command execution or credential theft. I’ve categorized pretexts into two lists below, divided by objective. Please feel free to comment on any pretexts you have had success with in the past, or interesting ideas you think I should try in the field.
Pretext (Merrian-Webster Definition): a reason given in justification of a course of action that is not the real reason.
Pretexts for Remote Command Execution
In the event that the target company has 2FA (two-factor authentication) on all of their externally facing services, such as VPN, email, etc, I generally shift to using phishing techniques which request a user to download something and execute it. Once executed, a reverse shell is returned to my attacking host. This takes an additional level of work as the payload must go undetected by AV (antivirus), get past email spam filters (most block .exe, bat files, etc), and connect back over an allowed egress port without getting caught by IDS / IPS (intrusion detection / prevention systems). See the below table of contents for pretexts.
|Job Applicant||Once you have a target company, search online for open job postings and build a fake resume according to one. Then, email your resume directly to Human Resource recruiters at the target company with a malicious payload included.|
|Loan Request (Financial Specific)||Is your target a financial company that handles loans? Great! Find anyone who is involved in the loan process, such as underwriters at a target bank, and make up a bogus request for assistance about filling out necessary loan documentation. Send the documentation back with a malicious payload included.|
Pretexts for Credential Theft
Stealing credentials and using them to launch an attack against external logins, such as the company VPN, email, websites, etc. This generally has a higher success rate than tricking users into opening and executing a malicious file. However, if the company has 2FA deployed across all external login interfaces, phishing for credentials may not yield the greatest damage impact. See the below table for of contents for pretexts.
|IT Security Annual Compliance||Want to phish users' credentials while tossing in a bit of irony? This is my favorite pretext for such! Find an external login portal used by the company, clone its layout, then send out an email requesting that employees complete IT Security Annual Compliance acceptance by [insert date] with a link to your fake portal.|
Well, now that I have the tables and headline page created, stay tuned for the actual tutorial post for each pretext. Titles in the table will contain links to their post once completed.