Home

Awesome

Microsoft-Teams-GIFShell

Press:

https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/

Technical Blogs:

https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7

https://medium.com/@bobbyrsec/microsoft-teams-attachment-spoofing-and-lack-of-permissions-enforcement-leads-to-rce-via-ntlm-458aea1826c5

Replication Steps:

There are a few prerequisites required to replicate the attack chain above:

<span style="text-decoration:underline;">Steps:</span>

  1. Open the Python script, and edit instances of the token variable with the skypetoken_asm cookie value from your authenticated browser session running Microsoft Teams as the attacker

  2. Open Microsoft Teams as an attacker, and create a new chat with the victim. Look at the network traffic, and extract the Teams URL of this conversation. The URL should be in the form “https://amer.ng.msg.teams.microsoft.com/v1/users/ME/conversations/<unique-identifier>@unq.gbl.spaces/messages”

  3. Open the GIFShell Python script, and edit instances of the burp_url variable with the URL from Step #2

  4. Open the Microsoft Teams chat associated with the webhook created by the attacker, in the authenticated browser session running Microsoft Teams as the attacker

  5. Run the GIFShell Python script on the attacking machine - this will create a prompt to enter desired commands to be run on the victim’s machine.

  6. Open the GIFShell Powershell stager script, and edit the $originalendpoint and $gifendpoint variables, changing the domain to the public IP address of the attacking machine

  7. Open The GIFShell Powershell stager script, and edit the $response variable, changing the webhook, to the value of the attacker’s publicly available webhook

  8. Run the Powershell stager script on the victim’s machine

  9. Execute the desired commands in the GIFShell Python script prompt

  10. Ensure that while the desired commands are being executed, the Teams application is open to the chat associated with the publicly available webhook.