Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Password Spraying Outlook Web Access: Remote Shell
Phishing with MS Office
Phishing: XLM / Macro 4.0
T1173: Phishing - DDE
T1137: Phishing - Office Macros
Phishing: OLE + LNK
Phishing: Embedded Internet Explorer
Phishing: .SLK Excel
Phishing: Replacing Embedded Video with Bogus Payload
Inject Macros from a Remote Dotm Template
Bypassing Parent Child / Ancestry Detections
Phishing: Embedded HTML Forms
Phishing with GoPhish and DigitalOcean
Forced Authentication
NetNTLMv2 hash stealing using Outlook
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Phishing: Embedded Internet Explorer

Code execution with embedded Internet Explorer Object

In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects​

Execution

Observations

As with other phishing documents, we can unzip the .docx and do a simple hexdump/strings on the oleObject1.bin to look for any suspicious strings referring to some sort of file/code execution:

The CLSID object that makes this technique work is a Shell.Explorer.1 object, as seen here:

Get-ChildItem 'registry::HKEY_CLASSES_ROOT\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}'

As an analyst, one should inspect the .bin file and look for the {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} bytes inside, signifying the Shell.Explorer.1 object being embedded in the .bin file:

References

Previous
Phishing: OLE + LNK
Next
Phishing: .SLK Excel
Last updated 3 years ago
Contents
Execution
Observations
References