• Enhance red team operators' knowledge of trending TTPs across several MITRE Techniques
• Cross fingers
• Create a custom C2 payload combining several TTPs for remote access to a network.

• Reconnaissance
• Execution
• Credential Access

Example Techniques

• Active Scanning
• PowerShell
• LSASS Dumping

https://attack.mitre.org/techniques/enterprise/

• git clone <insert tool>
• cd <tool name>
• pip install -r requirements.txt
• hackstuff.py -target anything.ru

• Recon
• Social Engineering
• Cloud
• Initial Access
• Post Exploitation

• Many tools and mostly personal pereference
• Do it for each domain that's in-scope and attached to Azure Tenant
• Feed results to other tools for further enumeration
• Certificate Transparency Searching cert.sh may reveal internal hostnames

• Accurate
• Stealthy
• In many cases you may still enumerate users if blocked from sending messages

• Still true if not more so
• Part of our daily lives
• Influence others
• "Would you grab me a cup of coffee while you're in Starbucks?"
• "Hi Jan, I'm Joe from IT and your PC requires an update that we cannot deploy from here. We need you to run this quick patch for your pc. Can you help us real quick after your meeting?"

• Face-to-face conversation
• Phishing
• Vishing
• Smishing
• *ishing. (any way to communicate)

• SMTP Smart Host "company-com.mail.protection.outlook.com"
• Send-MailMessage -SMTPServer <insert>
• Default
• May bypass some gateways
• Spoof External to Internal and Internal to Internal

• Business-to-Business allowed by default
• Links are less scrutinized than email
• Can send SharePoint files/links
• Can use AADInternals, Manual, or TeamsPhisher

https://github.com/Octoberfest7/TeamsPhisher

• Send .rdp file
• User connects back to your server
• Capture clipboard, plant files, and steal files

• Cred captures
• Fingerprint devices
• TokenTactics
• Bypass normal Phishing Controls

• Gold standard for reverse proxy phishing
• Capture username,password, and session cookie

• Using AI to impersonate and fool another person into performing some action.
• Real-Time Voice
• Text to Voice
  • resemble.ai
  • voice.ai
  • speechify.com

• Azure allows other tenants to connect if allowed
• Find credentials in code repositories, Shares, or SharePoint
• Common usernames such as sa are not allowed. sqladmin is however allowed.

Azure SQL

Finding

• Amazon Simple Notification Service (SNS)
• Example: SNS topic emails the security team
• Find Vulnerability 
• Send spoofed phishing email to the securiy team
  • Use aws cli to send message to topic
• Check SNS policy with cli for "allow *" principal

• What are your goals?
  • Obtain credentials
  • Obtain sensitive data
  • Obtain a shell
  • Obtain administrator tears

• May self-sign
• Sign with a "Leaked Certificate"
• May backdoor an already signed application
  • SpecterOps
    • https://specterops.io/blog/2023/06/07/less-smartscreen-more-caffeine-abusing-clickonce-for-trusted-code-execution/
• Host on azurewebsites.net

• May not be allowed out over standard SSH
• Try other ports
• Just works better than C2 SOCKS

• Find Leaked CertificatesCavaet to C# app domain injection:
  • https://tij.me/blog/finding-and-utilising-leaked-code-signing-certificates/
  • It works ;)
• You cannot install an MSIX package if it is not signed
• Cannot execute-assembly/sharpinline in the same agent due to the app domain.

• What do you do after initial access?
  • Install persistence
  • Enumerate the host
  • Enumerate the internal network
  • Elevate privileges
  • Move laterally

• Most cases, user to DA
• Multiple abuse paths
• Easy win
• Certipy - https://github.com/ly4k/Certipy

• SharpSCCM
  • https://github.com/Mayyhem/SharpSCCM
• SCCMHunter
  • https://github.com/garrettfoster13/sccmhunter
• PXEThief
  • https://github.com/MWR-CyberSec/PXEThief
• SeatBelt
  • https://github.com/GhostPack/Seatbelt

Be Back Soon

REDHOT

REDHOT

DEFCON 31