In June 2022 I was tasked with creating a tabletop scenario, and specifically that it be realistic. With limited information on what the client needed, my manager asked that the attack path include an attacker exploiting a current vulnerability via a phishing attack to access the client's network. I chose to use the recently-released "Follina" vulnerability. Tracked as CVE-2022-30190, this vulnerability affected Microsoft's diagnostic MSDT tool and potentially allowed for remote code execution.
However, in the vein of my overly complicated and unnecessarily detail-oriented mind, I decided that the screenshots had to be really accurate, and created a mostly functional exploit path for this vulnerability. As far as I can recall, it included a user who clicks on an email to get help from a technician, which downloads and executes an MSDT file. This would show a pop-up that pretends to be an error while the an actual shell gets downloaded and executed. Of course something like Crowdstrike or other EDR tools would probably pick it up, but it was fun to play with anyway, and the screenshots were definitely realistic. Unfortunately the client came back and told us we couldn't do that, so the whole thing was scrapped.
Regrettably I didn't blog about it.
No comments:
Post a Comment