Phished for Initial Access

On a red team engagement for our client Mega Big Tech, your team has been asked to simulate opportunistic threat actors. In scope is the on-premises and Azure cloud infrastructure, and phishing is also permitted. They have recently hardened their perimeter in terms of publicly accessible services - can you show them that there are other ways in?

• Basic Windows and Linux command line knowledge
• Foundational knowledge of cloud security
• Foundational knowledge of offensive security
• Your own cloud account to stand up an internet-accessible VM

• Leak Net-NTLMv2 hashes to gain user credentials
• Identify valid users and credentials using Oh365UserFinder
• Verify MFA enforcement status using MFASweep
• Perform token abuse using TokenTacticsV2
• Enumerate and exfiltrate data from Azure using native tools and scripts
• Learn how this scenario can be detected and prevented

Network perimeter security has improved a lot over the years, although it can still be found wanting (and arguably in the cloud, it's an IAM perimeter). Threat actors have instead turned their attention to the human element, and social engineering employees as a way to leak sensitive data or gain a foothold within an organization. In this evolving arms race, admins have increasingly been implementing multi-factor authentication (MFA) as a way to protect identities. However, as with all things admin, there any many options in how MFA can be configured, and this optionality can leave gaps in defenses that threat actors can exploit. Token abuse is also a very real issue, and this lab explores some of the factors that can make this possible, and how defenders can make this much harder to do.