Portable Media

Last updated 8 months ago

Was this helpful?

Portable Media

Understanding the Attack

Definition

A portable media attack involves distributing malicious files via removable media devices. The victim is deceived into executing the file, which then performs harmful actions on their system. In Lucy's context, success is measured by retrieving the executed data from the victim's computer.

Checklist

Real-world Examples

USB Stick in Public Places: A USB stick labeled "Confidential - Company Financials" is left in a company parking lot. An employee finds it and inserts it into their computer out of curiosity, executing the malicious file.
CD with Company Branding: A CD labeled "Employee Benefits Overview" is mailed to employees. When they insert the CD and open the file, it executes malicious code.
Infected SD Cards: An SD card labeled "Project Files" is distributed at a conference. Attendees insert the card into their computers to access the files, unknowingly executing the malicious software.

Configuration

Create a New Campaign:

Navigate to the Campaigns Dashboard and select the "New Campaign" button. Choose the "Attack Simulation" campaign type.

Choose Attack Type:

Select -> Skip Wizard and enable expert setup

Give the scenario a name and client:

Navigate to Attack Settings and select New Scenario:

Select the Portable Media Attack Template:

Select the "Portable Media Attack" scenario and click "Use template".

Give the Scenario a Name and Pick a Domain:

Specify the domain or IP used upon execution. The malware simulation will send data back to this host.
Specify what constitutes a successful attack, by default this will be set to "Data Submit" and click "Save"

Add your Portable Media recipient group:

Portable Media recipients are automatically generated by the system to track each file created for a portable media device and do not use company email addresses.

Navigate to Configuration -> Recipients -> "Add Group"
Add your Portable Media recipient group:

I received an error "Incompatible recipient group type"

This error occurs when you select a recipient group that is not optimized for a Portable Media Attack.

Solution:

Navigate to Users -> Recipient Groups -> Select "New Group"

Enter the group name, and associated client:

Ensure to enable the check box for "Portable Media Attack" and specify the number of items you will be loading the files on.

Download Files:

Navigate to Results -> Summary -> Select "Download Files"

To address the dynamic nature of payload creation, note that these file-based attack files are not signed by code signing certificates and may trigger antivirus alerts. To mitigate this, ensure to whitelist these files by their path for testing purposes. Additionally, update the Group Policy Object to apply these changes for the company-wide simulation.

Upload Files to Portable Media:

Once these files are downloaded, they can be extracted from their zip file.
Place each file on an individual Portable Media device.
Distribute these Portable Media devices among your organization.

Start Campaign:

Start the campaign and wait for the configuration checks to complete

When the campaign starts, LUCY will wait for incoming requests from the executed files.

Payload Execution Process

The Portable Media attack uses a Console Post to run ipconfig and whoami commands. It aims to find users accessing unknown media and executing the payload, likely named "Yearly Bonus Report."

Portable Media Attacks are not classified as Keyloggers and will not run automatically.

Payload Data Received

After a user has successfully executed the file, Lucy will capture the output data and display a success metric on the Summary Dashboard:

To observe the output from the file execution, navigate to Results -> Statistics -> Collected Data
Click the "command_line_output.txt" to view the output data

Example Output:

[ipconfig]

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   IPv4 Address. . . . . . . . . . . : 10.0.0.25
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.2

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

[whoami]
visvang\nick