What is your initial access way since the recent updates on the motw?

[Sh0ckFR]

Hello,

I wanted to have an opinion on this question, since the blocking of macros, and updates of the mark of the web, what did you use in your red team exercises?

Have a good day!

[NeonPayload]

Depending on how big the organization your pentesting, you can spray and pray with https://github.com/0xZDH/o365spray most orgs use o365 doing some email enumeration with https://hunter.io/ to find a list of emails to trove though and leaked databases. Doing this doesn't also just give you access, but also can allow you customer that they have already had a breach and creds are already out there. Obviously this is low hanging fruit, but you would be shocked how much this does pop up.

 

edit: typo

Edited November 15, 2022 by NeonPayload

[Sh0ckFR]

Yep I already know that, thank you for your answer, that's interesting anyway, my post was just oriented on the pure payload side sent by emails, I forget to mention that sorry.

Because we used macros, and iso or img + lnk as red-teamers few months ago, I'm interested to know if someone is actually finding any others ways or leads.

[zzz]

I think with the fragility of MOTW (in dealing with different container formats, read-only etc) there's still some use left with the current tech.

What the future looks like is hard to see right now. Macros were so prevalent for so long, I almost feel bad for them going away. 

[Sh0ckFR]

I'm totally agree, and I think that Microsoft has fixed most of the last possibilities about MOTW (mal formed authenticode sig, read-only etc...), I not checked with the last updates of Windows, but I will do that in few days.

Yes, macros were funny, not the VBA but calling windows APIs and syscalls via VBA, it was just awesome.