[Tiny Post] Toasted Phish

TL;DR @FoxIT made a rad tool, and I integrated it into Empire with one additional feature (pending pull request approval)

This post started when I viewed a tweet by @FoxIT where they were showcasing their awesome work on creating a phishing Powershell script. This script has the capability to launch Windows 10 style "toast" notifications which, upon being clicked, will prompt a user for their credentials with a modern username/password prompt. The script can impersonate running applications to give the user the impression that the pop-up came from a legitimate app, and the script can even hide the chosen application until the notification window has been dealt with. All great things for social engineering purposes, but the thing I cared the most about was that the prompts look familiar and updated, rather than other scripts such as powershell/collection/prompt in Empire or post/windows/gather/phish_windows_credentials in Metasploit. I highly encourage you to read up on the background info from their blog post: https://www.fox-it.com/en/insights/blogs/blog/phishing-ask-and-ye-shall-receive/

I immediately began formatting the Powershell to fit into Empire, and I also added the -VerifyCreds feature so that the script would validate any credentials entered into the prompt. If the creds are bogus then the pop-up is displayed again stating that invalid credentials were provided, and will loop until it is either canceled/closed out of or valid credentials are provided. The end result is a module called powershell/collection/toasted, the name is from the "Toast" notification components. I also extended the notification on-screen wait time from 5 seconds to ~25.

Below is a short GIF of it in action - all credit goes to @FoxIT for their great research and script.

Demo

comments powered by Disqus