The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments. Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/

1. A Red Teamer’s Access from
the internet.
Null Chennai Meet 23 November 2019
PRESENTER: JEBARAJ M

2. Most Used Mail Servers
 Office 365
 Gsuite
 Custom mail servers ( postfix, exim etc.)

3. OSINT to the best
 OSINT is the most important phase for conducting a Red Team Assessments.
 Some of the usefull resources for OSINT are as follows.
 https://osint.best/
 https://osintframework.com/

4. Linkedin to get Linked
 Linked in provides more data than you think that can link you in to an organization.
 From Linkedin name we can derive a email address by serveral combinations like,
firstname.lastname,
Lastname.firstname
Firstnamefirstletter.lastname
Lastnamefirstletter.firstname etc.

5. Hunting for emails
 There are many email scraper lying around the github.
 Hunter.io is an email scraper if you give an domain name it will fetch out the emails
on public internet.
 You can also makeuse of https://www.alreadycoded.com/ which has lead
generation tools.

6. Preying by Spraying
 Password Spraying is trying a single credential over multiple accounts.
Some default password that can be used for spraying are
Eg.
Nov@2019
Password123$
Summer2019 etc.

7. Attacking Office365
 Office 365 is a service provide by Microsoft for an organization communication.
 Autodiscover and Lyncdiscover are indicators.
Eg. autodiscover.example.com, lyncdiscover.example.com

9. Gotta check out the GAL
 Using GAL is a perfect way for user enumeration.
 GAL is Global Address List. You can use search option either on skype or while
composing a mail.
 In Gsuite you can open hangout to check for the user

10. Staying Stealth by Rules
 Attacker plan to remain stealth to maintain access for the compromised O365
accounts.
 Real Attackers Try to stay stealth as possible leaving no traces which would alert by
creating inbox rules and deleting the incoming mails after forwarding.

11. Doppel Ganger Phishing
 Doppel Ganger Domain is a look a like of a legitimate domain.
 Always choose a wise doppel ganger domain.

12. Phishing
 My approach towards a phising campaign which works most of the time is buying
a domain with ecommerce name, or elearning portals. Create a signup page or a
fake login portal customized to the targeted domain.
 Then conduct a phishing campaign stating we have partnered with
Eg book2learn.com etc

13. Phishing Delivery
 You can use Frameworks for phishing delivery by adding you smtp through which
your phishing email will be delivered.
 You can aslo use sendemail cli version tool.
 Some of the populary used phishing frameworks are
Gophish
KingPhisher etc.

14. Staying Stealth while Phising
 Hide your personal informations which may get leaked while setting up a phising
campaign.
 Main things a good attacker will hide as follows.
* Whois informations
* SSL Certificate informations

15. Phishing on GSuite
 Offcourse Gsuite use AI to read for any Spam and spoofy content.
 Gmail is secured by preventing malicious attachment.

16. Then How we can Conduct Phishing against a
GSUITE user?

17. Fear Not Google itself has made it simple
for us

18. Hangouts
 Google Hangout is used as a chat platform.
 Many users keep google hangout insecure. Thanks to google for that.

19. Hangout

20. Groups
 Google Group is a platform for creating a group conversations.
 You can create a google group at https://groups.google.com/
 Invite members to the group.
 Likelihood of suspicion is less also all thanks to google for their feature.

21. Groups

22. Ordering for Takeout
 Google provide a way to export all the google data in zip file which will contain
gmail,maps,playstore, etc.
 Takeout.google.com

23. Phishing attachment file types
 Most encountered phishing malicious attachments are as follows.
Docx
Doc
Xls
Xlsx
Rtf

24. Macroless
 DDE is Dynamic Data exchange based payloads can used to create dde based
pyloads which can be inserted on document.
 Some of the ways to generate the macroless payloads are as follows.
metasploit
Unicorn
Manual approach by formula injection etc.

25. Advanced macro based payload
 Vbscript are used for macros.
 Vbscripts can be obfuscated to evade detection.
 Vba Stomping can be done to evade detection

26. MACRO OBFUSCATION
 Vbscript can be obfuscated to evade detection.
 Some of the ways that VBScript code canbe obfuscated are as follows
 use of strreverse() function
 Custom use of the function name.
 Using custom encoder to encode the payload function eg. ROT series encoding.
 Many macro obfuscation tools are available on github.

27. VBA Stomping
 A Macro payload file contains two things VBA source code and pcode.The VBA
source code is compile into pcode which gets executed when enabling macros
after opening malicious marco embedded file.
 VBA Stomping is modifying the VBA source to fake that there is nothing malicious
on the macro file but the pcode will contain maclious payload.
 Tool: evilclippy

28. Undetectectable Marco payload
 An attacker can craft a malicious undetectable macro by combining macro
obfuscation + VBA STOMPING + AMSI BYPASS payload

29. DEMO

30. Linking maldocs
 Attacker abuse the Objecting Linking feature on Microsoft by embedding malicious
file and changing the icon to look legitimate.
 Microsoft ASR provides security in OLE nowadays

31. DEMO

32. Phishing Templating
 Mime type legitimate marketing mails can be copied and customized for phishing.
 Create internal forward like template while spear phishing.

33. See to the C2
 C2C server are setup on VPS to execute commands to the connected vitim
machines
 Some of the popular C2 framework used nowadays are
Covenant
Empire
Koadic

34. Getting the Access After Malcious
Execution on Remote Computer

35. What about Firewall?
 Many organizations have firewall and defender how to evade firewall and
endpoints.
 Stealth C2 data exfiltrations needs to be used in these type of scenarios.

36. Onedrive and DropBOX C2 Demo

37. Real Forensics Scenario Discussion