ZipJar, a little bit unexpected attack chain

The upcoming from the .zip TLDs from Google brought some discussion about attack vectors. Most of those attack vectors are not completely new, like using an “@” to split between username and host. While playing a little bit around, an unexpected attack chain appeared, involving a .zip TLD, Windows Explorer, WebDAV and a jar file.

Some further reading and research:

12 February 2023

PfiatDe

/blog/2023/02/12/S4B_Teams.html

How your messenger used for internal communication (Teams or S4B) might compromise your company

In this blog post, some techniques about the messengers Microsoft Skype-for-Business (S4B) and Microsoft Teams regarding attacking a company network are demonstrated.

The following are just some well-known techniques, which work way too often and companies and employees are not aware off. The success rate for this kind of phishing / social engineering is very high.

Most of the named points derive from the mdsec or the mr.d0x blog.

6 February 2023

PfiatDe

/blog/2023/02/06/spoof_office_comments.html

Spoofing comments in MS Office

TL;DR;

MS Office does not verify the integrity of the comment section. This allows an attacker to spoof comments or the author in the same tenant / AD or even crosstenant.

31 January 2023

PfiatDe

/blog/2023/01/31/code_c2.html

Let’s Go (VS) Code - Red Team style
or the Microsoft signed and hosted Reverse Shell

TL;DR;

MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.

22 July 2022

PfiatDe

/blog/2022/07/22/thunderbird.html