Portable Media
Understanding the Attack
Definition
A portable media attack involves distributing malicious files via removable media devices. The victim is deceived into executing the file, which then performs harmful actions on their system. In Lucy's context, success is measured by retrieving the executed data from the victim's computer.
Checklist
Real-world Examples
USB Stick in Public Places: A USB stick labeled "Confidential - Company Financials" is left in a company parking lot. An employee finds it and inserts it into their computer out of curiosity, executing the malicious file.
CD with Company Branding: A CD labeled "Employee Benefits Overview" is mailed to employees. When they insert the CD and open the file, it executes malicious code.
Infected SD Cards: An SD card labeled "Project Files" is distributed at a conference. Attendees insert the card into their computers to access the files, unknowingly executing the malicious software.
Configuration
Create a New Campaign:
Navigate to the Campaigns Dashboard and select the "New Campaign" button. Choose the "Attack Simulation" campaign type.
Choose Attack Type:
Select -> Skip Wizard and enable expert setup
Give the scenario a name and client:
Navigate to Attack Settings and select New Scenario:
Select the Portable Media Attack Template:
Select the "Portable Media Attack" scenario and click "Use template".
If it's not available, download it by first navigating to Templates -> Download Templates and searching for "Portable Media Attack".
Give the Scenario a Name and Pick a Domain:
Specify the domain or IP used upon execution. The malware simulation will send data back to this host.
Specify what constitutes a successful attack, by default this will be set to "Data Submit" and click "Save"
Add your Portable Media recipient group:
Portable Media recipients are automatically generated by the system to track each file created for a portable media device and do not use company email addresses.
Navigate to Configuration -> Recipients -> "Add Group"
Add your Portable Media recipient group:
Download Files:
Navigate to Results -> Summary -> Select "Download Files"
To address the dynamic nature of payload creation, note that these file-based attack files are not signed by code signing certificates and may trigger antivirus alerts. To mitigate this, ensure to whitelist these files by their path for testing purposes. Additionally, update the Group Policy Object to apply these changes for the company-wide simulation.
Please refer to our guide on File Attack Whitelisting
Upload Files to Portable Media:
Once these files are downloaded, they can be extracted from their zip file.
Place each file on an individual Portable Media device.
Distribute these Portable Media devices among your organization.
Start Campaign:
Start the campaign and wait for the configuration checks to complete
When the campaign starts, LUCY will wait for incoming requests from the executed files.
Payload Execution Process
The Portable Media attack uses a Console Post to run ipconfig and whoami commands. It aims to find users accessing unknown media and executing the payload, likely named "Yearly Bonus Report."
Portable Media Attacks are not classified as Keyloggers and will not run automatically.
Payload Data Received
After a user has successfully executed the file, Lucy will capture the output data and display a success metric on the Summary Dashboard:
To observe the output from the file execution, navigate to Results -> Statistics -> Collected Data
Click the "command_line_output.txt" to view the output data
Example Output:
Last updated
