原文始发于Ram Prakash:Fake Dialog Boxes to Make Malware More Convincing
Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team engagement.
让我们来探讨一下 SpiderLabs 如何创建用户提示并将其合并到其恶意软件加载程序中,以便在红队交战期间对网络钓鱼目标更具说服力。
The following GIF shows a demo of the end result, where the loader appears like an installer (XYZ is a fictitious company used as an example throughout the rest of this article):
以下 GIF 显示了最终结果的演示,其中加载程序看起来像一个安装程序(XYZ 是一个虚构的公司,在本文的其余部分用作示例):
Mariusz Banach’s (mgeeky) presentation “Desperate Infection Chains” proposes the following taxonomy to describe how an initial access payload can be crafted:
Mariusz Banach (mgeeky) 的演讲“绝望的感染链”提出了以下分类法来描述如何构建初始访问有效载荷:
The “decoy” element serves to “continue pretext narration after detonating malware.” In Banach’s presentation, he describes how APT groups open PDF files while installing their malware to avoid raising suspicion by convincing phished users that everything was going as expected. The idea is that adding user prompts to malware loaders make them appear more like legitimate software to achieve a similar effect.
“诱饵”元素用于“引爆恶意软件后继续借口叙述”。在 Banach 的演讲中,他描述了 APT 组织如何在安装恶意软件时打开 PDF 文件,以避免通过说服网络钓鱼用户一切都按预期进行来引起怀疑。这个想法是,将用户提示添加到恶意软件加载程序中,使它们看起来更像是合法软件,以达到类似的效果。
Red Team Engagement Example
红队参与示例
SpiderLabs sent phishing emails to employees at, let’s call it, XYZ Corp., that pretended to be from the firm’s IT department. The phishing email’s pretext was the IT department had pushed updates to the corporate VPN due to a security vulnerability. However, the email says not all employees received the update requiring them to install the patch manually. The emails contained two attachments – a PDF guide and a ZIP file containing the malware.
SpiderLabs 向 XYZ Corp. 的员工发送了网络钓鱼电子邮件,这些电子邮件假装来自该公司的 IT 部门。网络钓鱼电子邮件的借口是 IT 部门由于安全漏洞而将更新推送到公司 VPN。但是,该电子邮件表示,并非所有员工都收到了要求他们手动安装补丁的更新。这些电子邮件包含两个附件 – 一个PDF指南和一个包含恶意软件的ZIP文件。
SpiderLabs designed the PDF guide to look like a legitimate internal document from the IT department and included instructions on how to unzip and execute the “security patch installer” (i.e. the malware):
SpiderLabs 将 PDF 指南设计成看起来像 IT 部门的合法内部文档,并包含有关如何解压缩和执行“安全补丁安装程序”(即恶意软件)的说明:
The fake installer seen above did not have any actual functionality. For instance, if the user clicked “Cancel” instead of “Install” at the prompt, the embedded C2 shellcode would still execute.
上面看到的假安装程序没有任何实际功能。例如,如果用户在提示符下单击“取消”而不是“安装”,则嵌入的 C2 shellcode 仍将执行。
Additionally, the progress bar and the warning to refrain from disrupting the program did not affect the loader’s execution. If the malware failed to execute, it would display a popup window asking, “Do you want to submit diagnostic data to your IT administrator?” This was to convince users not to respond to the email or submit IT tickets so SpiderLabs could elude detection by the Blue Team. While installer file formats like MSI/MSIX could achieve a similar visual effect, SpiderLabs created a fake installer manually with dialog boxes because it executed its C2 malware via DLL-sideloading. This meant the logic and resource files for the fake installer had to be contained within the loader DLL.
此外,进度条和避免中断程序的警告不会影响加载程序的执行。如果恶意软件无法执行,它将显示一个弹出窗口,询问“是否要向 IT 管理员提交诊断数据?这是为了说服用户不要回复电子邮件或提交 IT 工单,以便 SpiderLabs 可以逃避蓝队的检测。虽然像 MSI/MSIX 这样的安装程序文件格式可以实现类似的视觉效果,但 SpiderLabs 手动创建了一个带有对话框的虚假安装程序,因为它通过 DLL 旁加载执行了其 C2 恶意软件。这意味着假安装程序的逻辑和资源文件必须包含在加载程序 DLL 中。
Creating dialog boxes – Step 1: GUI
创建对话框 – 第 1 步:GUI
Now, let’s look at how SpiderLabs created the fake installer with dialog boxes.
现在,让我们看看 SpiderLabs 如何创建带有对话框的虚假安装程序。
We started with an empty C++ project in Visual Studio:
我们从 Visual Studio 中的空 C++ 项目开始:
Added a dialog resource to the project:
向项目添加了对话资源:
The team used the resource editor to design the dialog box. We then adjusted the dimensions, added two “static text” labels and a progress bar, renamed the “Ok” button to “Install,” and placed a “Finish” button directly behind the “Cancel” button. The purpose of this is explained later in the article.
该团队使用资源编辑器来设计对话框。然后,我们调整了尺寸,添加了两个“静态文本”标签和一个进度条,将“确定”按钮重命名为“安装”,并在“取消”按钮后面放置了一个“完成”按钮。本文稍后将解释其目的。
We customised the labels / appearance by right-clicking a component and viewing its “Properties” (e.g. the red boxes in the screenshot below show the options to centre the dialog box and change its font):
我们通过右键单击组件并查看其“属性”来自定义标签/外观(例如,下面屏幕截图中的红色框显示了对话框居中并更改其字体的选项):
Preview and test the dialog box conveniently by selecting it in the resource editor, and clicking Format > Test Dialog:
通过在资源编辑器中选择对话框,然后单击“>设置测试对话框的格式”,方便地预览和测试该对话框:
Visual Studio generated two files – “resource.rc” and “resource.h”. The resource files are compiled into a binary format and linked with the final executable. The following shows the contents of resource.rc that Visual Studio generated. Note that SpiderLabs also added version information/metadata. This can help with avoiding some EDR detections (see: https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023 )
Visual Studio 生成了两个文件 – “resource.rc” 和 “resource.h”。资源文件被编译为二进制格式,并与最终可执行文件链接。下面显示了 Visual Studio 生成的 resource.rc 的内容。请注意,SpiderLabs 还添加了版本信息/元数据。这有助于避免某些 EDR 检测(请参阅:https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023)
// Microsoft Visual C++ generated resource script.
Microsoft Visual C++ 生成的资源脚本。
//
#include “resource.h” #include“resource.h”
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
从 TEXTINCLUDE 2 资源生成。
//
#include “winres.h” #include “winres.h”
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (United States) resources
英语(美国)资源
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#if !defined(AFX_RESOURCE_DLL) ||定义(AFX_TARG_ENU)
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
语言LANG_ENGLISH, SUBLANG_ENGLISH_US
#pragma code_page(1252) #pragma code_page(1252)
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE 文本包括
//
1 TEXTINCLUDE 1 个文本包括
BEGIN 开始
“resource.h\0” “资源.h\0”
END
2 TEXTINCLUDE 2 文本包括
BEGIN 开始
“#include “”winres.h””\r\n”
“#include ”“winres.h”“\r\n”
“\0”
END
3 TEXTINCLUDE 3 文本包括
BEGIN 开始
“\r\n” “\r\n”
“\0”
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Dialog 对话
//
IDD_DIALOG1 DIALOGEX 0, 0, 320, 101
IDD_DIALOG1 DIALOGEX 0、0、320、101
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
款式DS_SETFONT |DS_MODALFRAME |DS_CENTER |WS_POPUP |WS_VISIBLE |WS_CAPTION |WS_SYSMENU
CAPTION “XYZ VPN Security Patch Installer”
标题 “XYZ VPN Security Patch Installer”
FONT 8, “Segoe UI”, 400, 0, 0x1
字体 8, “Segoe UI”, 400, 0, 0x1
BEGIN 开始
DEFPUSHBUTTON “Finish”,IDOK,254,73,50,14
DEFPUSHBUTTON “完成”,IDOK,254,73,50,14
PUSHBUTTON “Cancel”,IDCANCEL,254,73,50,14
按钮“取消”,IDCANCEL,254,73,50,14
LTEXT “Click ‘Install’ to begin, or ‘Cancel’ to exit”,IDC_STATIC,19,31,280,10
LTEXT “单击’安装’开始,或单击’取消’退出”,IDC_STATIC,19,31,280,10
LTEXT “XYZ VPN Security Patch 4.2.0 installation”,IDC_STATIC,19,16,280,10
LTEXT“XYZ VPN 安全补丁 4.2.0 安装”,IDC_STATIC,19,16,280,10
DEFPUSHBUTTON “Install”,IDOK2,196,73,50,14
DEFPUSHBUTTON “安装”,IDOK2,196,73,50,14
CONTROL “”,IDC_PROGRESS1,”msctls_progress32″,PBS_SMOOTH | WS_BORDER,19,48,280,14
控制 “”,IDC_PROGRESS1,“msctls_progress32”,PBS_SMOOTH |WS_BORDER,19,48,280,14
END
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO 设计信息
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO 指南设计信息
BEGIN 开始
IDD_DIALOG1, DIALOG IDD_DIALOG1, 对话框
BEGIN 开始
LEFTMARGIN, 7 左边距,7
RIGHTMARGIN, 313 右边距,313
TOPMARGIN, 7 上边距,7
BOTTOMMARGIN, 94 底边距,94
END
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// AFX_DIALOG_LAYOUT AFX_DIALOG_LAYOUT
//
IDD_DIALOG1 AFX_DIALOG_LAYOUT
BEGIN 开始
0
END
/////////////////////////////////////////////////////////////////////////////
//
// Version 版本
//
VS_VERSION_INFO VERSIONINFO
VS_VERSION_INFO版本信息
FILEVERSION 4,2,0,0 文件版本 4,2,0,0
PRODUCTVERSION 4,2,0,0 产品版本 4,2,0,0
FILEFLAGSMASK 0x3fL 文件标志掩码 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L 文件标志 0x1L
#else
FILEFLAGS 0x0L 文件标志 0x0L
#endif
FILEOS 0x40004L 文件 0x40004L
FILETYPE 0x2L 文件类型: 0x2L
FILESUBTYPE 0x0L 文件子类型 0x0L
BEGIN 开始
BLOCK “StringFileInfo” 块“StringFileInfo”
BEGIN 开始
BLOCK “040904b0” 区块“040904b0”
BEGIN 开始
VALUE “CompanyName”, “XYZ”
VALUE “公司名称”, “XYZ”
VALUE “FileDescription”, “vpn”
VALUE “FileDescription”, “vpn”
VALUE “FileVersion”, “4.2.0.0”
值 “FileVersion”, “4.2.0.0”
VALUE “InternalName”, “vpn.dll”
值 “InternalName”, “vpn.dll”
VALUE “LegalCopyright”, “Copyright 2004-2022, XYZ.”
VALUE “法律版权”, “版权所有 2004-2022, XYZ.”
VALUE “OriginalFilename”, “vpn.dll”
值 “原始文件名”, “vpn.dll”
VALUE “ProductName”, “XYZ VPN”
VALUE “产品名称”, “XYZ VPN”
VALUE “ProductVersion”, “4.2.0.0”
值 “ProductVersion”, “4.2.0.0”
END
END
BLOCK “VarFileInfo” 阻止“VarFileInfo”
BEGIN 开始
VALUE “Translation”, 0x409, 1200
VALUE “翻译”, 0x409, 1200
END
END
#endif // English (United States) resources
#endif // 中文(美国)资源
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
从 TEXTINCLUDE 3 资源生成。
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
#endif // 不APSTUDIO_INVOKED
The following shows the contents of “resource.h”:
下面显示了“resource.h”的内容:
//
// Microsoft Visual C++ generated include file.
Microsoft Visual C++ 生成的包含文件。
// Used by resource.rc
由 resource.rc 使用
//
#define IDOK 1
#define IDCANCEL 2
#define IDD_DIALOG1 101
#define IDI_ICON1 103
#define IDB_PNG1 104
#define IDOK2 1001
#define IDC_PROGRESS1 1002
#ifndef IDC_STATIC
#define IDC_STATIC (-1) #define IDC_STATIC (-1)
#endif
// Next default values for new objects
新对象的下一个默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 105
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
Creating dialog boxes – Step 2: Functionality
创建对话框 – 步骤 2:功能
Once satisfied with the appearance of the dialog box, we used it in our code with DialogBox():
一旦对对话框的外观感到满意,我们在代码中使用了 DialogBox():
int main() { int main() {
auto result = DialogBox(NULL, MAKEINTRESOURCE(IDD_DIALOG1), NULL, DialogProc);
自动结果 = DialogBox(NULL, MAKEINTRESOURCE(IDD_DIALOG1), NULL, DialogProc);
return 0; 返回 0;
}
/*
src: <https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxa>
来源:<https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-dialogboxa>
void DialogBoxW( 无效 DialogBoxW(
[in, optional] hInstance,
[in, 可选] hInstance,
[in] lpTemplate, [在] lp模板,
[in, optional] hWndParent,
[in, 可选] hWndParent,
[in, optional] lpDialogFunc
[in, 可选] lpDialogFunc
);
*/
Next, we created a callback function to respond to the user’s input (e.g. when they click a button):
接下来,我们创建了一个回调函数来响应用户的输入(例如,当他们点击按钮时):
INT_PTR CALLBACK DialogProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) {
INT_PTR CALLBACK DialogProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) {
switch (message) { switch(消息){
case WM_INITDIALOG: { 案例 WM_INITDIALOG:{
// Set the color of the progress bar to green: 0,255,0. The default is blue.
将进度条的颜色设置为绿色:0,255,0。默认值为蓝色。
HWND hProgress = GetDlgItem(hDlg, IDC_PROGRESS1);
HWND hProgress = GetDlgItem(hDlg, IDC_PROGRESS1);
SendMessage(hProgress, PBM_SETBARCOLOR, 0, RGB(0, 255, 0));
发送消息 (hProgress, PBM_SETBARCOLOR, 0, RGB(0, 255, 0));
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE); // Hide progress bar. User will see it after they press the ‘Install’ button
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE);隐藏进度条。用户在按下“安装”按钮后将看到它
ShowWindow(GetDlgItem(hDlg, IDOK), SW_HIDE); // Hide finish button
ShowWindow(GetDlgItem(hDlg, IDOK), SW_HIDE);隐藏完成按钮
ShowWindow(GetDlgItem(hDlg, IDCANCEL), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDCANCEL), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDOK2), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDOK2), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDC_STATIC), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDC_STATIC), SW_SHOW);
}
return (INT_PTR) TRUE; 返回 (INT_PTR) TRUE;
case WM_COMMAND: 案例WM_COMMAND:
switch (LOWORD(wParam)) { // LOWORD contains the resource ID, HIWORD contains the actual event
switch (LOWORD(wParam)) { // LOWORD 包含资源 ID,HIWORD 包含实际事件
case IDOK2: // Install button
case IDOK2: // 安装按钮
ShowWindow(GetDlgItem(hDlg, IDOK2), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDOK2), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDCANCEL), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDCANCEL), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDC_STATIC), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDC_STATIC), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_SHOW);
// Start fake installation process and update progress bar
启动虚假安装过程并更新进度条
for (int i = 0; i <= 100; i++) {
for (int i = 0; i <= 100; i++) {
SendDlgItemMessage(hDlg, IDC_PROGRESS1, PBM_SETPOS, i, 0);
SendDlgItemMessage(hDlg, IDC_PROGRESS1, PBM_SETPOS, i, 0);
Sleep(40); 睡眠(40);
}
// When installation is complete, hide the progress bar and show the finish button
安装完成后,隐藏进度条并显示完成按钮
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE);
ShowWindow(GetDlgItem(hDlg, IDOK), SW_SHOW);
ShowWindow(GetDlgItem(hDlg, IDOK), SW_SHOW);
break; 破;
case IDOK: // Finish button
case IDOK: // 完成按钮
EndDialog(hDlg, LOWORD(wParam));
EndDialog(hDlg, LOWORD(wParam));
break; 破;
case IDCANCEL: // Cancel button
case IDCANCEL: // 取消按钮
EndDialog(hDlg, LOWORD(wParam));
EndDialog(hDlg, LOWORD(wParam));
break; 破;
}
break; 破;
default: 违约:
return (INT_PTR) FALSE; 返回 (INT_PTR) FALSE;
}
return (INT_PTR) TRUE; 返回 (INT_PTR) TRUE;
}
Here are some key points to understand the DialogProc function shown above:
以下是了解上面所示的 DialogProc 函数的一些关键点:
- DialogProc is a callback function that responds to messages sent by the OS. The OS sends messages when the user performs mouse clicks, keystrokes, and touch-screen gestures.
DialogProc 是一个回调函数,用于响应操作系统发送的消息。当用户执行鼠标单击、击键和触摸屏手势时,OS 会发送消息。 - We are interested in the messages WM_INITDIALOG and WM_COMMAND
我们对WM_INITDIALOG和WM_COMMAND的信息感兴趣 - WM_INITDIALOG to initialise our dialog box. We initialize our progress bar to be green and show/hide components of the dialog box. For instance, the following line can be thought of as a selector to get the progress bar (IDC_PROGRESS1) and hide it (SW_HIDE): ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE);
WM_INITDIALOG初始化我们的对话框。我们将进度条初始化为绿色,并显示/隐藏对话框的组件。例如,可以将以下行视为获取进度条 (IDC_PROGRESS1) 并隐藏进度条 (SW_HIDE) 的选择器:ShowWindow(GetDlgItem(hDlg, IDC_PROGRESS1), SW_HIDE);- Instead of creating multiple dialog boxes to represent steps in a typical software installation, we created a single dialog box and displayed/hid elements selectively. Since our fake installer only had two steps, it was easier to place them within a single dialog box and display/hide their components. For instance, this is how the Dialog Box is initialized (i.e., what the user sees at the first step):
我们没有创建多个对话框来表示典型软件安装中的步骤,而是创建了一个对话框并有选择地显示/隐藏元素。由于我们的假安装程序只有两个步骤,因此将它们放在一个对话框中并显示/隐藏其组件更容易。例如,对话框是这样初始化的(即用户在第一步看到的内容):
- Instead of creating multiple dialog boxes to represent steps in a typical software installation, we created a single dialog box and displayed/hid elements selectively. Since our fake installer only had two steps, it was easier to place them within a single dialog box and display/hide their components. For instance, this is how the Dialog Box is initialized (i.e., what the user sees at the first step):
However, there is also a progress bar that is hidden at this stage. Once the user clicks “install”, the progress bar is then shown, and the “install” and “cancel” buttons are hidden.
但是,在这个阶段还有一个隐藏的进度条。用户单击“安装”后,将显示进度条,并隐藏“安装”和“取消”按钮。
As mentioned earlier, this selective showing and hiding of specific components is achieved with: ShowWindow(GetDlgItem(hDlg, <RESOURCE_ID>), SW_HIDE);
如前所述,这种特定组件的选择性显示和隐藏是通过以下方式实现的:ShowWindow(GetDlgItem(hDlg, <RESOURCE_ID>), SW_HIDE);
The RESOURCE_ID can be obtained from the resource editor (e.g. we know the progress bar has the resource ID IDC_PROGRESS1
RESOURCE_ID可以从资源编辑器中获取(例如,我们知道进度条的资源 ID IDC_PROGRESS1
- WM_COMMAND to process the messages that the OS sends to our callback function. The WM_COMMAND message contains the resource ID that the user interacted with. E.g., if the user clicks the “Install” button, we get the resource ID IDOK2 (which represents that button), and we respond to it with our logic in case IDOK2
WM_COMMAND处理操作系统发送到回调函数的消息。WM_COMMAND消息包含用户与之交互的资源 ID。例如,如果用户单击“安装”按钮,我们将获得资源 ID IDOK2(表示该按钮),并在 IDOK2 的情况下使用我们的逻辑对其进行响应- Here, we implemented the fake progress bar (i.e., the for loop).
在这里,我们实现了假进度条(即for循环)。 - When the user clicks “Finish” or “Cancel”, we call EndDialog to destroy the dialog box.
当用户单击“完成”或“取消”时,我们调用 EndDialog 来销毁对话框。 - The dialog box procedure should return TRUE if it processed the message and FALSE if it did not (https://learn.microsoft.com/en-us/windows/win32/api/winuser/nc-winuser-dlgproc).
如果对话框过程处理了消息,则应返回 TRUE,如果未处理,则返回 FALSE(https://learn.microsoft.com/en-us/windows/win32/api/winuser/nc-winuser-dlgproc)。
- Here, we implemented the fake progress bar (i.e., the for loop).
Conclusion 结论
The primary benefit of dialog boxes or other types of user prompts is that they can make the phishing pretext more convincing. Secondary benefits include evading some EDRs and sandboxes (e.g., some sandboxes may not be able to simulate user input if the loader is designed to only execute the malware after receiving such input).
对话框或其他类型的用户提示的主要好处是它们可以使网络钓鱼借口更具说服力。次要好处包括规避某些 EDR 和沙箱(例如,如果加载程序设计为仅在收到此类输入后执行恶意软件,则某些沙箱可能无法模拟用户输入)。
Gaining initial access via phishing involves multiple steps, each with the potential to raise suspicion among users. While incorporating dialog boxes can be effective once the user has downloaded the malicious file, the preceding steps of the phishing attack must be equally convincing and stealthy.
通过网络钓鱼获得初始访问权限涉及多个步骤,每个步骤都可能引起用户的怀疑。虽然合并对话框在用户下载恶意文件后可能有效,但网络钓鱼攻击的上述步骤必须同样令人信服和隐蔽。
For example, this could involve crafting a believable phishing pretext, sending a well-formatted email, ensuring that the antivirus (AV)/endpoint detection and response (EDR) systems do not flag the downloaded file, and avoiding triggers for Defender Smart Screen alerts. Successful initial access requires meticulous attention to detail at each step. While this article focused on the utility of dialog boxes in the later stage, it acknowledges the critical need for a cohesive and undetectable approach throughout the entire phishing operation.
例如,这可能涉及制作可信的网络钓鱼借口、发送格式正确的电子邮件、确保防病毒 (AV) /终结点检测和响应 (EDR) 系统不会标记下载的文件,以及避免触发 Defender 智能屏幕警报。成功的初始访问需要对每一步的细节一丝不苟。虽然本文重点介绍了对话框在后期的效用,但它承认在整个网络钓鱼操作中迫切需要一种有凝聚力且无法检测的方法。
Additionally, it should be noted that creating dialog boxes in this manner will leave IOCs in the resource section of the final loader, as seen in the following screenshot. However, resources may also have the effect of lowering the risk score for the file in certain EDRs:
此外,应该注意的是,以这种方式创建对话框会将 IOC 保留在最终加载程序的资源部分中,如以下屏幕截图所示。但是,资源也可能降低某些 EDR 中文件的风险评分:
In summary, this article has demonstrated how SpiderLabs created a fake installer using dialog boxes in Visual Studio and provided an example scenario in which it was used during a red team engagement. The method of creating dialog boxes demonstrated in this article may not be the correct or conventional way to create dialog boxes. However, it proved effective for SpiderLabs’ specific needs.
总之,本文演示了 SpiderLabs 如何使用 Visual Studio 中的对话框创建虚假安装程序,并提供了一个在红队参与期间使用它的示例场景。本文中演示的创建对话框的方法可能不是创建对话框的正确或常规方法。然而,事实证明,它对 SpiderLabs 的特定需求是有效的。