»Purple Haze: The SpearPhishing Experience«
2019-11-08, 15:30–15:55, Blue Day

Someone great once said "pentesting doesn't have to be all dropping exploits and launching shells." I disagree. Not many people truly understand the grueling task of developing a new campaign, designing sick docs, building killer malware, or why the Red Team operates the way they do during a spearphishing campaign to ‘get those shells’. This talk will cover what the Red Team is really doing when they are trying to gain a foothold through social engineering as well as how Blue Teams can leverage this technical insight to combat the dreaded spearphish.

New phishing techniques are always welcome, but one wrong move with one of those techniques and the entirety of your staging infrastructure is burnt, blocked, and reported by the Incident Response team.

I will be going through many steps of trial and error I have experienced while running red team operations and try to drill down to why and how red teamers do things a very specific (opsec safe) way to gain a foothold through spearphishing. The talk will include the following techniques and topics:

  • Network reconnaissance for firewall rules
  • Basic OSINT for the tech stack
  • How advanced threat actors test dropper malware
  • Image injection and text message notifications
  • One-time use tokens for phishing payloads
  • Remote Template injection
  • VBA macros that work and why they work (and maybe some of what no longer works due to pesky EDR)
  • Other phishing techniques that are gaining popularity like Calendar Phishing and Excel 4.0
See also: Slides