TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Dynamic Device Code Phishing

BHIS · 2023-05-16 · Read original ↗

ATT&CK techniques detected

9 predictions
T1566.002Spearphishing Link
89%
"the target user doesn ’ t see your phish within that timeframe? well, as the phisher, you ’ re out of luck. we need a better option. dynamic device code phishing in order to enhance our chances for phishing success, we need to extend that 15 - minute window of opportunity during …"
T1566.002Spearphishing Link
62%
"a powershell module for generating device codes and refreshing refresh tokens created by bobby cooke @ 0xboku and myself. token tactics ’ main feature is the ability to refresh tokens to different audiences. say, for example, you phished a user and received an msgraph token. if y…"
T1111Multi-Factor Authentication Interception
57%
"dynamic device code phishing dynamic device code phishing rvrsh3ll / / introduction this blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. here, i focus on the technical how - to for standing up and operating a dynamic device code …"
T1528Steal Application Access Token
52%
"below. once the correct code is entered on the computer, the tv is signed in. the same premise applies to device code phishing. we, as the attacker, generate the code to give the user. that code is for https : / / microsoft. com / devicelogin as seen below. when the user signs in…"
T1528Steal Application Access Token
50%
"do with tokens. closing it ’ s important to note that wherever the device code is generated, that ip address will show in the logs. keep that in mind when avoiding or implementing conditional access policies. also, the authentication package brings mfa along with it. so, future c…"
T1111Multi-Factor Authentication Interception
47%
"a powershell module for generating device codes and refreshing refresh tokens created by bobby cooke @ 0xboku and myself. token tactics ’ main feature is the ability to refresh tokens to different audiences. say, for example, you phished a user and received an msgraph token. if y…"
T1528Steal Application Access Token
46%
"a powershell module for generating device codes and refreshing refresh tokens created by bobby cooke @ 0xboku and myself. token tactics ’ main feature is the ability to refresh tokens to different audiences. say, for example, you phished a user and received an msgraph token. if y…"
T1528Steal Application Access Token
33%
"##voke tokentactics. after the user enters the device code, we should receive the access and refresh tokens and they will be saved to tokenlog. log. post - capture you may parse your access _ token received client - side at https : / / jwt. io or with token tactics ’ “ parse - jw…"
T1111Multi-Factor Authentication Interception
30%
"do with tokens. closing it ’ s important to note that wherever the device code is generated, that ip address will show in the logs. keep that in mind when avoiding or implementing conditional access policies. also, the authentication package brings mfa along with it. so, future c…"

Summary

rvrsh3ll //  Introduction  This blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. Here, I focus on the technical how-to for standing […]

The post Dynamic Device Code Phishing  appeared first on Black Hills Information Security, Inc..