A while ago i came across a blog post from @enigma0x3. In this blog post a method was described to perform a phishing attack to gather user credentials using Powershell. It is a great way to get the credentials of a user. This attack can be used if privilege escalation is hard (try harder) or not a option. In real life scenario’s i noticed that privilege escalation can be hard, for example on fully patched terminal servers. With this phishing method, you still can get the (network)credentials of the user. These credentials can be used to pivot into the network. I got some ideas to improve the attack:
- Built the script into Metasploit, so the script code can be sent through the existing Metasploit connection
- Popup the script on a certain user activity (starting new processes), if the popup is appearing without any action, it can be suspicious.
- Also some bugfixes were possible in the existing Powershell script