nerdexam
GIAC

GCIH · Question #735

Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22

The correct answer is A. Microsoft 365 cloud environment. Invoke-MSOLSpray is a PowerShell password-spraying tool that targets Microsoft Online (Azure AD) authentication endpoints used by Microsoft 365 services.

Cloud Incident Response & Threat Hunting

Question

Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22

Options

  • AMicrosoft 365 cloud environment
  • BWindows systems on the local subnet
  • CThe organization's MSQL server
  • DThe local domain controller

How the community answered

(30 responses)
  • A
    87% (26)
  • B
    7% (2)
  • C
    3% (1)
  • D
    3% (1)

Why each option

Invoke-MSOLSpray is a PowerShell password-spraying tool that targets Microsoft Online (Azure AD) authentication endpoints used by Microsoft 365 services.

AMicrosoft 365 cloud environmentCorrect

MSOLSpray (Microsoft Online Spray) sends a single password against a list of usernames to Azure AD's cloud authentication endpoints, which underpin Microsoft 365 services including Exchange Online, SharePoint, and Teams. By spraying one password at a time across many accounts, it attempts to evade per-account lockout policies while gaining unauthorized Microsoft 365 access.

BWindows systems on the local subnet

MSOLSpray communicates exclusively with Microsoft's cloud-based authentication APIs over the internet and has no mechanism to target or enumerate Windows hosts on a local network subnet.

CThe organization's MSQL server

MSOLSpray contains no functionality for database attacks; it is purpose-built for Microsoft Online credential spraying and cannot interact with SQL server authentication protocols.

DThe local domain controller

The tool bypasses on-premises Active Directory and local domain controllers entirely by authenticating directly against Azure AD cloud endpoints, making the local domain controller irrelevant to the attack.

Concept tested: MSOLSpray password spraying against Microsoft 365 Azure AD

Source: https://github.com/dafthack/MSOLSpray

Topics

#MSOLSpray#password spraying#Microsoft 365#cloud credential attack

Community Discussion

No community discussion yet for this question.

Full GCIH Practice