TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Adversary in the Middle (AitM): Post-Exploitation

BHIS · 2024-11-04 · Read original ↗

ATT&CK techniques detected

28 predictions
T1566.002Spearphishing Link
96%
"that i ’ m going over today, feel free to follow me. i post tools and other resources from time to time that are related to initial access methods and just other stuff that i use in my role at bhis. so with that i ’ ll stop talking about myself and we ’ ll get into today ’ s cont…"
T1525Implant Internal Image
84%
"’ s for azure. so you collect a large amount of information about the azure environment and then you import that into your bloodhound user interface. and now you can view different attack paths and privilege escalation opportunities and all sorts of other things, within azure in …"
T1528Steal Application Access Token
79%
"asking, are you trying to sign into microsoft edge? if we click continue, then we get a response back that says you ’ ve, signed into the microsoft edge application on your device. you may now close this window. so we ’ ve completed the authentication process in the browser and n…"
T1588.002Tool
77%
". i am a red team practice lead at bhis, and i ’ m also an initial access specialist on bhis ’ s antisoc continuous pen testing team, which is pretty much my primary, role at the moment. all the testing that i ’ m doing at the moment has been on our, continuous pen testing team. …"
T1531Account Access Removal
73%
"to a user ’ s microsoft account and the blue team was onto us, they had detected some of our activity and so they were working on kicking us out of the environment. i opened up the portal, the azure admin portal in one tab and the intune admin portal in another tab in addition to…"
T1528Steal Application Access Token
64%
"device code authentication itself could be the thing that gets you caught. so we save this for last and use it with caution when we ’ re doing post exploitation and trying to stay covert. there is an alternate option that you could do here where you could potentially obtain token…"
T1621Multi-Factor Authentication Request Generation
62%
"say her hit rate has got to be in like the 80 % range or something. it ’ s insane. it ’ s way higher than your hit rate for any other, technique. so like basically social engineering is just requirement these days. the other thing, almost every attack is going to require social e…"
T1556.006Multi-Factor Authentication
60%
"right here in the small text, clicking reset mfa will reset all your configured factors, eg, sms, call push, et cetera. yes, that is all true, but there is one exception. whenever i think it ’ s okay to reset the user ’ s multifactor token and that is if they are out of the offic…"
T1552.005Cloud Instance Metadata API
58%
"searches through all the resources that are available to that user through sharepoint through onedrive, and checks them for patterns in either the file name, the extension or the contents of the file that indicate that the file contains something that we as attackers are interest…"
T1556.006Multi-Factor Authentication
58%
"##y is going on if they get many push notifications. so if you do have to send push notifications, minimize the number of sign sign ins that you ’ re doing, log into some, high value resource such as the vpn or whatever, and operate from that for as long as you possibly can until…"
T1557Adversary-in-the-Middle
57%
"adversary in the middle ( aitm ) : post - exploitation adversary in the middle ( aitm ) : post - exploitation this webcast was originally broadcast on october 24, 2024. in this video, michael allen discusses adversary - in - the - middle post - exploitation techniques and process…"
T1539Steal Web Session Cookie
56%
"because when we have to, log in from a software client, instead of accessing the application for the web browser, we have to start a new authentication. we have to log in with that multifactor token again. and if we don ’ t have the multifactor token, we can ’ t log in and do tha…"
T1525Implant Internal Image
50%
"searches through all the resources that are available to that user through sharepoint through onedrive, and checks them for patterns in either the file name, the extension or the contents of the file that indicate that the file contains something that we as attackers are interest…"
T1528Steal Application Access Token
46%
", you won ’ t have to sign in again. what will happen is you ’ ll just get a quick prompt saying do you want to grant access to your tv? and you click allow and now your tv has access to your netflix account. well, for some reason that i still don ’ t yet understand, microsoft al…"
T1657Financial Theft
46%
"##box and at their teams messages, i saw that they had a long list of emails and teams messages that had not been interacted with. this was really funny because they had logged into our adversary in the middle phishing portal on this day. even though they were out of the office, …"
T1566.002Spearphishing Link
45%
"things. there was so much time they got put into that and then it was a 10 minute phone call. and kind of the same philosophy can be applied towards like the cpt as well. corey ham like. bryan strand right. are we going to be able to get like get in, get to domain admin, like own…"
T1564.008Email Hiding Rules
45%
"was caused by my own activity, then i can move it back to their inbox, i can mark it as unread and i won ’ t interrupt anything that that user is actually doing or that ’ s like legitimate business email. if i was a real world attacker, i would set that to permanently delete inst…"
T1566.002Spearphishing Link
42%
"##s to provide access to other attackers to the environment. but if the session token expires before they have the opportunity to use it, now those attackers cannot access the environment even though they captured the session token, because the session token is no longer valid. s…"
T1528Steal Application Access Token
37%
"this is the process that came from that experience all kind of boiled down here on this one slide. so our adversary in the middle post exploitation triage process that we built from this experience to allow us to as quickly as possible, do the right things and make use of the acc…"
T1078.004Cloud Accounts
36%
"t able to do any of the previous steps or whatever. these are just laid out in this order for maximum effectiveness and to get the best return on the actions that we ’ re doing. so we want to stay covert. that ’ s why we ’ re starting with preventing user alerts, and then from th…"
T1564.008Email Hiding Rules
35%
", i add this rule to the list of rules and i give it the parameters of the subject or body includes and then all those strings you see there, security alert, new sign, new sign in, et cetera, every, every different variation that i can think of of like a phrase that would be spec…"
T1528Steal Application Access Token
35%
"because when we have to, log in from a software client, instead of accessing the application for the web browser, we have to start a new authentication. we have to log in with that multifactor token again. and if we don ’ t have the multifactor token, we can ’ t log in and do tha…"
T1528Steal Application Access Token
34%
"##s to provide access to other attackers to the environment. but if the session token expires before they have the opportunity to use it, now those attackers cannot access the environment even though they captured the session token, because the session token is no longer valid. s…"
T1528Steal Application Access Token
33%
"##ries and tools. in particular i ’ ve got a couple of blog posts here from invictus ir linked that contain detections for graph runner. the different actions that you can do with graph runner, things that indicate that someone is running graph runner in your environment. so we w…"
T1556.006Multi-Factor Authentication
33%
"because, if the user gets a notification, such as a push notification or something else that tells them a new device was added, that ’ s going to be super suspicious to see, on the other side of the country a new multifactor token was added to their account. also it could potenti…"
T1528Steal Application Access Token
32%
"of the ones that we go to immediately called out right here. so first is token tactics again to initiate that device code authentication and get the initial token and then also to refresh the token that we get to the other token types that are needed by other tools because every …"
T1078Valid Accounts
30%
"##shing campaign that we did on the continuous pen testing anti soc team against many of our customers all at once. we did the, it ’ s a postcard phishing attack that i ’ ve actually got a link to it on the last slide of this deck that i ’ ve talked about in a previous webcast. b…"
T1111Multi-Factor Authentication Interception
30%
", you won ’ t have to sign in again. what will happen is you ’ ll just get a quick prompt saying do you want to grant access to your tv? and you click allow and now your tv has access to your netflix account. well, for some reason that i still don ’ t yet understand, microsoft al…"

Summary

In this video, Michael Allen discusses adversary-in-the-middle post-exploitation techniques and processes.

The post Adversary in the Middle (AitM): Post-Exploitation appeared first on Black Hills Information Security, Inc..