The first attempt failed with an authentication problem at the proxy. The insider then executed these payload-enabling macros. This was sent through to a pre-agreed employee, which was the user assigned to the internal phase of the test. This extra functionality would have been trivial to add.įirstly, a proof of concept, fully working implant was created. This macro called back to the team’s staging box to say that the file had been run, but did not compromise the system. The basic premise regarded an email which had a Microsoft Word document attached, which contained a malicious macro (deadly alliteration there). The second email campaign was sent in similar fashion to another set of 500 users. This campaign was spotted by the client, as the previous misconfiguration of the SSL middlebox had been fixed however the client agreed to whitelist our new site to allow a representative sample of users to be collected.Īs a result, the team recorded connections to the website from about half of the targets, as well as 75 email responses.
This proved to no longer be possible (albeit, due to manual filtering by the client) and instead a real wildcard certificate was acquired. In the previous exercise, the team had utilised a weakness in the configuration of the filtering proxy to effectively resign otherwise self-signed certificates with the client’s internal CA. Note: The intention of this campaign was to mimic an attack that had been successful previously. This website did not require authentication but rather its purpose was to simulate a ‘watering hole’ style attack, which could have been used to host exploits and malware, and would then be activated on visits by the client’s employees. Rather, the team included a supposed exchange between two fictional employees, Graham and Catherine (rather more convincing than Jane and John Doe), discussing the website, with the URL included in the email subject as “Fwd: “. What made this campaign interesting was the fact that the team did not actively include a link to the website concerned. The team sent emails from a spoofed internal address to approximately 500 employees, which directed them to a news site discussing a recent announcement regarding a contract (intriguing!).
So how did the team get on in our War Game exercise?