pushsecurity / saas-attacks Goto Github PK

With the google AMP phishing stuff in the news (https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/) I'm wondering if there isn't a generic technique here? This doesn't feel like it's going to be solved quickly.

Perhaps something like "Trusted phishing hosting" - many different SaaS apps allow hosting of custom web content. Clearly the issue is amplified when that SaaS domain also hosts common SSO login pages (as Google above, but you've got to imagine there is going to be an equivalent on MS?).

Otherwise It might be best to just capture the AMP technique directly until we see similar techniques on other platforms.

Refer: https://github.com/Esonhugh/KubernetesCRInjection.

Here is my documents. I think this is a Potential attack surface in SaaS system which based on kubernetes.
After I discussed with some Cloud security Researchers about such attack,I summarized such attack technique and wrote such document.

1. SIM fraud for passwordless SMS logins or MFA bypassing
2. Persistence via similar methods by registered an adversary controlled phone number (as opposed to ghost logins)

If you can change the configuration of an actively used app's SAML config that is legit lateral movement no?

Maybe like something like AT0000 so as to not clash with Tactics TA0000 or Techniques T0000 from the original Mitre Matrix?

https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

Exploitation of this and defences against it are becoming more common and is probably worth consideration for inclusion in the matrix.

Another interesting example that may be better off as a separate defence evasion technique is using noVNC to bypass protections:

https://mrd0x.com/bypass-2fa-using-novnc/

Here are some tools we should ref:

https://github.com/FSecureLABS/XRulez
https://silentbreaksecurity.com/malicious-outlook-rules
https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/

Run through all the techniques left to right to find some quick-win references to add where appropriate e.g. relevant blog posts/tools that are specific to the technique that we haven't already linked to

While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so they can impersonate you. The "full access" option is almost equivalent to a full login.

Expensify offers "secondary logins", which function for a "ghost logins" attack, but this example feels a little different. Perhaps we need to a new technique in the matrix for covering situations where you can delegate control of your account to another account as a separate attack as it has other implications.

This could possibly be a subtechnique if we add those in future but probably better to flesh out the consent phishing example for now

We currently have mostly 1-2 examples for each technique demonstrating it is valid to a minimum of a proof of concept level. Going forwards, the more examples we have the better.

As a first step of that, we'll look to significantly expand the number of examples for some of the recon techniques. This is because many of these are relatively simple to check, somewhat consistent across different apps and it's obviously also the first phase in the kill chain.

https://github.com/mbrg/power-pwn