“exploiting mfa inconsistencies on microsoft services exploiting mfa inconsistencies on microsoft services beau bullock / / overview on offensive engagements, such as penetration tests and red team assessments, i have been seeing inconsistencies in how mfa is applied to the variou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1556.006Multi-Factor Authentication
90%
“flag to force it. the script also can attempt to log into the adfs server, letting you know if mfa is configured there. conclusion before i released this tool, i used it on a few real world engagements and found inconsistencies in mfa deployments that allowed me to gain access to…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1556.006Multi-Factor Authentication
86%
“use the mfa features. more and more organizations are implementing mfa across accounts. microsoft mfa has a few different options for verification : - microsoft authenticator app - oauth hardware token - sms - voice call during offensive engagements, we commonly perform password …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1556.006Multi-Factor Authentication
76%
“factor authentication. - blocks legacy authentication protocols ( ews, imap, smtp, or pop3, etc. ). - requires users to perform multi - factor authentication when necessary. - protects privileged activities like access to the azure portal. these settings tremendously help to prot…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1556.006Multi-Factor Authentication
73%
“end - of - life the good news is that microsoft is planning on disabling legacy authentication. the bad news is that due to covid - 19, the date for disabling it has moved back to the 2nd half of 2021. so, it looks like we ’ ll be checking for legacy authentication for a while lo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098.002Additional Email Delegate Permissions
65%
“usernames, and more. you can use mailsniper to perform these actions : https : / / github. com / dafthack / mailsniper. when using mailsniper with ews on microsoft 365, make sure to use the - remote flag as shown in the following command for authentication. invoke - selfsearch - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
48%
“to run after authenticating, see my cloud pentesting cheat sheets here : https : / / github. com / dafthack / cloudpentestcheatsheets roadtools should work here as well : https : / / github. com / dirkjanm / roadtools azure service management api if the user has a subscription ti…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Beau Bullock // Overview On offensive engagements, such as penetration tests and red team assessments, I have been seeing inconsistencies in how MFA is applied to the various Microsoft services. […]