Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.
2019-11-09, 11:00–11:25, Red Day

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.

I. Intro
II. What is “Calishing?”
III. Why Is This Talk Relevant to Red (and Blue) Teamers?
IV. Step-by-step Attack
a. Recon
b. Creating a new google account
c. Getting an API key
d. Calishing using my G-Calisher python tool
e. Command and Control (C2)
V. How do we stop this?

See also: Presentation Slides