July 1

Webinar takeaways: Attack Tactics 8 – Poison the Well


My key takeaways

  • Bad documents eg with macros enabled in SharePoint? No need to bypass phishing controls anymore!
    • Documents are already trusted by users
    • Difficult to trace
  • M$ SmartLockout is effective to reduce direct attacks
    • FireProx (AWS) or Proxycannon-ng (OpenVPN) can circumvent it
  • unsolicited push notifications to bypass MFA can’t be reported as phish
    • might be send esp. at beginning of the work day or after typical lunch hours
  • The cloud version of the AD is available by default in Azure as Active Directory Users and Computers (ADUC)
    • should be restricted by admins instantly
  • Implantable file types should be checked regularly on SharePoint/OneDrive
    • .docm .xlsm .pptm for Macros
    • .proj .csproj as dev artifacts
    • .bat .ps1 .vba as scripts
    • they might be poisoned but trusted by end users!
  • Macros dont try to excuted shellcode directly anymore but drop a link file in the user startup folder
  • if you see spikes and anomalies on your Azure login attemps, have a closer look!
  • FIDO2 might make this attack much harder
  • Passwords are dead
    • reduce complexity
    • enforce length
    • file


additional links

User comments

  • Adrian Santangelo

    Protip: If you get to a push notification, try IMAP and POP. It’s enabled by default now and bypasses MFA.

  • shmooz

    "Just because you’re paranoid doesn’t mean they aren’t after you." ― Joseph Heller

  • Ryan | The Shootist | Editor

    One name you DON"T want to use for your cloud is "Sync Hole"

  • nand0ps

    short expiring periods leads to same password with a different number at the end

  • weston

    I would enforce 16 character passwords in my environment if I didn’t think it would get me fired.


azure, red teaming, sharepoint

You may also like

Webinar takeaway – Offensive Windows Event Logs

Webinar takeaway – Offensive Windows Event Logs

Webinar takeaway – A Master Class on Offensive MSBuild

Webinar takeaway – A Master Class on Offensive MSBuild
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}