phishandchips.io

Pick Your Poison

In this article, we will consider various Payloads and Payload Delivery mechanisms. Although we won’t get into the specifics of each (yet), we will provide an overview of common tactics.

Payloads

The goal of any campaign is to have the target initiate their own compromise. With the exception of credential theft, these typically come in the form of executing code from the target’s system. Some of the payloads may be local to the target system, used to exfiltrate data, or simply be avenues for further compromise or remote control.

Here, we’ve provided some of our favorites, this list is by no means exhaustive.

Local Execution

  1. Simple Attachments
    Emails with file attachments, such as executables or documents (docx, pdf, etc) containing the payload.
  2. Macro-Enabled Documents
    Payload delivered through macros embedded in documents. These would rely on the application (typically the MS-Office Suite) to execute the embedded scripts and automations.
  3. Trojan Horse
    The payload disguised as a legitimate file or installation package.
  4. Drive-By Downloads
    Links or attachments that trigger automatic payload downloads upon interaction. These are typically web links or HTML documents that trigger in the browser.
  5. Keyloggers
    A payload that records keystrokes, capturing login credentials and sensitive information.
  6. Browser Extensions
    Payloads in the form of a browser extension used for control and delivery
  7. Downloaders and Droppers
    Payloads fetching additional malware from remote servers.
  8. Man-in-the-Middle (MitM)
    Payloads that allow for traffic interception such as routing communications through a proxy
  9. Password-Protected Zips
    Payloads hidden within password-protected zip files; a type of evasion.

Web Links

  1. Links to Payload Sites
    Emails containing links to websites designed to steal login credentials/sensitive data, or deliver the payload through the browser.
  2. Embedded Links
    Attachments that contain links to sites with payloads.
  3. Credential Harvesting Forms
    Emails with HTML forms prompting users to enter sensitive information.
  4. Ads
    Links to compromised ads or websites delivering the payload.

Here at P&C.io, our personal favorites are:
1) the Reverse TCP Shell which, when executed, has the remote workstation establish a connection with our remote TCP listener thus enabling C2 type activity.

2) Good, old-fashioned credential harvesting.

What’s next?

Related Topics

Payload Delivery

Next Topic

Cmd + Ctrl (C2)

Posted

in

, ,

Tags:

Framework
Site Map
Glossary
TackleBox