»Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.«
2019-11-09, 11:00–11:25, Red Day
On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.
Outline: I. Intro II. What is “Calishing?” III. Why Is This Talk Relevant to Red (and Blue) Teamers? IV. Step-by-step Attack a. Recon b. Creating a new google account c. Getting an API key d. Calishing using my G-Calisher python tool e. Command and Control (C2) V. How do we stop this? VI. Q&A