Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Password Spraying Outlook Web Access: Remote Shell
Phishing with MS Office
Phishing: XLM / Macro 4.0
T1173: Phishing - DDE
T1137: Phishing - Office Macros
Phishing: OLE + LNK
Phishing: Embedded Internet Explorer
Phishing: .SLK Excel
Phishing: Replacing Embedded Video with Bogus Payload
Inject Macros from a Remote Dotm Template
Bypassing Parent Child / Ancestry Detections
Phishing: Embedded HTML Forms
Phishing with GoPhish and DigitalOcean
Forced Authentication
NetNTLMv2 hash stealing using Outlook
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Phishing: Embedded HTML Forms
Code execution with embedded HTML Form Objects
In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects​

Execution

Forms.HTML.ps1
1KB
Text
Forms.ps1
Forms.HTML.docx
11KB
Binary
Forms.docx

Observations

These types of phishing documents can be identified by looking for the CLSID 5512D112-5CC6-11CF-8D67-00AA00BDCE1D in the embedded .bin files:
...as well as inside the activeX1.xml file:
As usual, MS Office applications spawning cmd.exe or powershell.exe should be investigated:

References

Click me if you can, Office social engineering with embedded objects
Securify website
Previous
Bypassing Parent Child / Ancestry Detections
Next
Phishing with GoPhish and DigitalOcean
Last modified 3yr ago
Copy link
Contents
Execution
Observations
References