Initial Access Payloads

Sending a payload to the phished user(s) is a direct way to gain a foothold, since it will be executed on their system. There are broadly two options for delivering a payload.

  1. Send a URL where a payload can be downloaded.

  2. Attach the payload to the phishing email.

\

One significant difference (apart from how you dress it up to the user), is that any file downloaded via a browser (outside of a trusted zone) will be tainted with the "Mark of the Web" (MOTW). In a nutshell, this is a data stream that gets embedded into the file which says it was downloaded from an untrusted location. The zone data can be read with PowerShell.

PS C:\Users\bfarmer\Downloads> gc .\test.txt -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
HostUrl=http://nickelviper.com/test.txt

\

The possible zones are:

  • 0 => Local computer

  • 1 => Local intranet

  • 2 => Trusted sites

  • 3 => Internet

  • 4 => Restricted sites

\

Files with MOTW are handled with additional security scrutiny - you may be familiar with both Windows SmartScreen and Office Protected View. They often don't stop files from being opened or executed, but they require the user to click through more warning boxes which lower the likelihood of your phish being successful. If MS Office "block macros downloaded from the Internet" is enabled, a user cannot run a macro-enabled document even if they wanted to. This will soon be the default setting.

Files that are emailed "internally" via a compromised Exchange mailbox are not tagged with a Zone Identifier.

Last updated