Modern Workspace: PowerShell OAuth Error

Create PowerShell Session is failed using OAuth

When connecting to Exchange online (there was a reason I needed to do this) I had the following error:

I did some googling that luckily someone has already posted how to fix this:

https://www.vansurksum.com/2021/03/11/create-powershell-session-is-failed-using-oauth-when-using-the-exchange-online-v2-powershell-module/

It turns out WINRM’s ability to use BASIC client authentication is disabled as part of the standard Windows 10 hardening baseline deployed via Intune.

To fix these we need to re-enable BASIC client side WINRM authentication. Read more “Modern Workspace: PowerShell OAuth Error” →

Defense

Hardening Office 365 PowerShell Access

Only admins can use PowerShell, right? Wrong! In Office 365 and Azure AD standard users can connect using PowerShell.

In this quick post we are going to look at how to disable users from being able to read other users data using the MSOL cmdlets. (this also appears to limit AzureAD cmdlets access as well)

Disable MSOL Read Access

Run the following command as a global admin: Read more “Hardening Office 365 PowerShell Access” →

Guides

Becoming a Cyber Criminal (Pro) – Basic External Attacks

This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!

The Fundamental Steps

Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.

CTF

Installing Subfinder on Windows

Subdomain Enumeration is a key part to security testing from an internet facing perspective. Today we are going to install Subfinder on a Windows Server.

Installation

Install GOLANG
- https://golang.org/doc/install

Launch a command prompt Read more “Installing Subfinder on Windows” →

CTF

Installing Covenant C2 on Windows

Covenant is a c2 built on .net core. It can run on Linux or Windows, so I thought I would do a quick install demo in the lab.

Resources

https://github.com/cobbr/Covenant/wiki/Installation-And-Startup

Prerequisites

The Windows GIT client
- https://git-scm.com/download/win
DotNet Core 3.1
- https://dotnet.microsoft.com/download/dotnet/3.1
The covenant files or git client

Defense

Password Spraying/Credential Stuffing OWA with Metasploit Framework

Ok so this is not very ‘1337’ but it will get the job done (and that is what is important, no one cares how they get pw3d they just care they were). If you really wanted, you could hand craft this in python of another language or use another tool (script etc.)

Do start with we are going to need a username list and a password list (as well as a target IP or DNS name). This could be:

Obtained via OSINT
Obtained via stolen/breached credentials
Dictionary Created
Password Lists could be used/generated etc.

We also need to have considerations for account lockouts. If we are doing a penetration test, then we will have to likely avoid DoS. If we are doing a ‘RED TEAM’ or adversary simulation, then we will want to avoid being noisy and getting caught. (If we are doing monitoring and detection testing you probably want to be quiet and noisy ala control testing). Read more “Password Spraying/Credential Stuffing OWA with Metasploit Framework” →

Defense

ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released

The last two weeks we’ve seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. We saw a PoC fairly early but it required that you reverse engineer some exchange DLLs and/or TAP the 443 to 444 interface on an exchange server to work out how to weaponise it. Things however have progressed, 8 hours ago we saw a metasploit module go online:

Breach

ProxyLogon – A god mode backdoor even when used…

Imagine

Imagine being able to read emails from any mailbox from a corporation! But everyone uses office 365… don’t they? Well ok even if that was the case (It’s not) then the RCE would come into play. An RCE into system level access to Exchange which is so heavily tied to active directory they are almost joined at the hip) is a killer foothold. However, you pain the scenarios they aren’t good!

All knowing and all powerful

Imagine if you could read everyone’s email! What could you do with this?

Steal IP
Steal data
Steal credentials
Extort, blackmail and bribe

The SSRF vulnerability enabling a threat actor to gain unauthenticated read access to mailboxes would be a killer tool for both nation state spies and criminals alike. Read more “ProxyLogon – A god mode backdoor even when used with READ only” →

Defense

Thoughts on IOCs for Exchange Hafnium/ProxyLogon

Intro

This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust! Read more “Thoughts on IOCs for Exchange Hafnium/ProxyLogon” →

Defense

Hafnium / Exchange Marauder High Level IR Help

Ok so John and I have been working on this for a while. We have been working with both customers and industry profesionals and there’s a common theme. Understranding the events from this incident are quite challenging because:

We don’t have sample log output for known bad traffic
The vulns can be used for data theft and/or backdoors (and further actions on target)

Getting guidance out so far on this has been challenging becuase:

There is not a public full kill chain POC to do comaprisons to (i’m ok with that)
We don’t have a pw3d server that has all the indicators from all the routes on

So to try and help people we have made a diagram which we will update as we go.

Essentially you need to perform a weighted analysis to understand if:

You had recon only
You had some SSRF
YOu had SSRF that led to data theft
You had a webshell planted