Snaffpoint

If you have been doing any Red Team operations in the last few years, you may have encountered a tool called Snaffler. Snaffler leverages the internal Active Directory to work through looking for File Shares and other types of file shares like internal SharePoints to look for files of interest. What files are of interest? The ones you define for it to look for.

In the cloud, we have a similar tool called Snaffpoint. This tool is found on GitHub at https://github.com/nheiniger/SnaffPoint and written by Nicolas Heiniger and several others. It is designed to go against Sharepoint Online, which is valuable for us in the cloud as many attacks we may have to launch may feature enterprise backends running Sharepoint Online. The language of choice is KQL, a Query Language that will be seen in Microsoft Graph, Cosmos DB, Sentinel, and many other Microsoft Systems.

It does require a JWT to access the Sharepoint System. How many ways have you already seen to get these JWT's? We have several options:

• TokenTactics v1 and v2

• TeamFiltration

• Cursed Chrome (Person in the Browser)

• EvilGinx2 (Adversarial in the Middle Browsers)

Given this, we can see that Snaffpoint is an excellent tool for post exploitation situations.