Account Manipulation

§ Where this technique fits

§ Dossiers chaining this technique

• Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.

  step 4 / 7

• vCenter pre-auth RCE → root on every ESXi → mass encrypt

  Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.

  step 4 / 6

• Predictable RNG → forge password-reset tokens

  App generates reset tokens via Math.random / Mersenne Twister seeded with time(). Capture a few legit tokens, recover the internal state, predict the next token for any user.

  step 5 / 6

• Flash-loan governance attack → DAO admin

  Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan.

  step 5 / 6

• Vishing → helpdesk MFA reset → account takeover

  Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor.

  step 5 / 6

• MFA fatigue / prompt-bombing → M365 admin compromise

  Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.

  step 5 / 6

§ What commonly comes next

1. 01
   Valid Accounts

   T1078 · Initial Access
   seen 2×
2. 02
   Azure RBAC Owner Assignment

   C-AZ-RBAC-OWNER · Privilege Escalation
   seen 1×
3. 03
   ESXi Mass-Encrypt Ransomware

   HV-ESXI-RANSOM · Impact
   seen 1×
4. 04
   Exchange Web Services (EWS) Exfil

   M365-EWS-EXFIL · Collection
   seen 1×
5. 05
   Exfiltration Over C2 Channel

   T1041 · Exfiltration
   seen 1×