When IT Support Calls Dissecting a ModeloRAT Campaign from T...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise
• Blog Title: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
• Suggested Section: Windows Hardening > Windows Local Privilege Escalation for CVE-2023-36036 cldflt.sys; Windows/Active Directory Lateral Movement or NTLM for davclnt.dll DavSetCookie credential validation; Phishing Methodology for Microsoft Teams external-access impersonation

🎯 Content Summary

Rapid7 analyzed an April 2026 enterprise intrusion that began with Microsoft Teams social engineering and escalated into endpoint compromise, ModeloRAT deployment, Windows local privilege escalation, credential theft, lateral movement, memory dumping, and likely data exfiltration. The attacker abused Microsoft Teams external access, which can allow users from one tenant to directly message users in another tenant. A newly created tenant, UCICasociacion.onmicrosoft[.]com, imperson...

🔧 Technical Details

Trusted collaboration-platform phishing: If Microsoft Teams external access allows cross-tenant messaging, an attacker-controlled tenant can directly contact employees while impersonating helpdesk or IT support. This moves social engineering away from email controls into a trusted business communication channel. In this case, the tenant UCICasociacion.onmicrosoft[.]com impersonated IT Support and convinced the victim to execute the attacker’s payload.

Bring-your-own portable Python execution: A stager can download a cloud-hosted ZIP to a user-writable path such as AppData, extract a portable Python runtime, remove the archive, and run malware with pythonw.exe to avoid a visible console. This is useful for attackers because the interpreter does not need to be installed globally and scripts can be staged as ordinary files under the user profile. The observed command downloaded Winp.zip from Dr...

🤖 Agent Actions

Done.

Updated:

• src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md

Added:

• A new subsection on WebDAV auth coercion / credential validation via rundll32.exe davclnt.dll,DavSetCookie
• Practical command example
• Notes on:
  • using it for NTLM over HTTP/WebDAV
  • internal credential validation / lateral movement prep
  • WebClient service dependency
  • relaying/capturing with ntlmrelayx.py
  • detection value of repeated DavSetCookie usage

Also updated the file’s References section with:

• Rapid7 blog
• Microsoft davclnt docs
• Splunk detection reference

Validation:

• git diff --check passed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening > Windows Local Privilege Escalation for CVE-2023-36036 cldflt.sys; Windows/Active Directory Lateral Movement or NTLM for davclnt.dll DavSetCookie credential validation; Phishing Methodology for Microsoft Teams external-access impersonation".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0