One of the goals I want to achieve in the lab, is to simulate at least some level of user autonomy. This means having users that will do ‘things’ automatically and periodically that, as an attacker, you can take advantage of. Phishing is a big part of real-life engagements (and a real threat to businesses and individuals alike), but it’s unfortunately something that’s not that easily reproduced.
Users within RastaLabs will run a PowerShell script on a schedule that is unique for them - some may check their email every 5 minutes (because they obviously have nothing better to do) and others may check every hour or only once a day.
When they check their email, they will take whatever’s in the message body and pass it to Internet Explorer - which is meant to simulate an email with a malicious link. The PowerShell does not currently parse the body specifically looking for hrefs. The user will also automatically send keystokes into IE to open any files the URL may go to - this is especially useful if you want to send an HTA payload.
One caveat to this, is that prior to actually opening an email the user will inspect the subject field. They will only open the email if the subject contains a word that they find interesting - some users may have more “Magic Strings” (as I’ve called them) than others, meaning some users will be harder to phish than others.
So how do you know what a user will find interesting?
Using OSINT of course. Most ‘employees’ of RastaLabs will have some sort of social media presence where you have the chance to learn about their personal lives. Some users will open emails related to their personal interests (“cute kittens” for example); others only to their professional interests; and other users may do both.
I have plans to extend this further:
- Some users will only open emails from other colleagues (internal phishing)
- Add support for attachments, e.g. Word/Excel and PDFs
If you have any other suggests, please hit me up and let me know.