DeepSec 2025 Talk: How To Breach: From Unconventional Initial Access Vectors To Modern Lateral Movement – Benjamin Floriani & Patrick Pongratz

Sanna/ November 17, 2025/ Conference/ 0 comments

The perpetual cat-and-mouse game between attackers and defenders has pushed offensive security operators to innovate. While enterprise security teams have become adept at identifying and blocking malicious Office documents, suspicious executables, and known phishing URLs, a significant blind spot often remains: the gray area of “benign” file formats that are implicitly trusted by both users and security tools. This talk will arm attendees with the knowledge to identify and leverage these blind spots in red team engagements.

We will begin by exploring the strategic shift from noisy, high-volume attacks to stealthy, low-profile techniques designed to circumvent modern EDR, email gateways, and web proxies. We’ll discuss why certain file types and delivery mechanisms succeed where others fail, focusing on the technical elements that make them effective. This includes exploiting the browser’s rendering engine and abusing features in file formats that were never intended for malicious use. The main part of the presentation is a detailed, step-by-step walkthrough of an attack chain using a weaponized SVG image, infecting a user with malware and spreading laterally with Intune.

We will demonstrate the entire attack chain:

  1. Crafting the Lure: Creating a malicious SVG that, when opened, executes the malicious content.
  2. Delivery & Execution: Discussing methods for delivering the payload and giving alternatives to SVG images.
  3. Infection & Lateral Movement: Showcasing how the malware gets executed and how Microsoft Intune can be used afterwards to move laterally through the network.

Beyond the SVG case study, we will briefly cover other unconventional vectors to broaden the audience’s perspective. Attendees will leave this session with a new arsenal of TTPs. Red teamers will learn how to build more sophisticated and evasive initial access campaigns. Blue teamers and defenders will gain insights into these emerging threats, learning what artifacts to hunt for.

We asked Benjamin and Patrick a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  1. Realistic Scenario
  2. Observed in the Wild
  3. Unusual Attackpath
  4. Live Demo
  5. Funny Guys

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We were trying to find a good logo for our company, and Patrick accidentally hacked himself with JavaScript.

Why do you think this is an important topic?

We think these unconventional access vectors are not really known, so it is important to raise awareness of them.

Is there something you want everybody to know – some good advice for our readers, maybe?

Don’t put sauce on a Schnitzel. Also, don’t click on unknown SVG files, please.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As hybrid environments get more common, red team engagements will shift towards cloud-based attacks.

 

Benjamin Floriani

Benjamin and Patrick have several years of experience in penetration testing and red team engagements. Both are winners of multiple national and international CTF tournaments, including ACSC, ECSC and SANS. They met in 2018, where they worked at and formed the Red Team together at CANCOM Austria AG (formerly known as Kapsch BusinessCom). Because of their passion for cyber security they decided in 2025 to form their own company, SecCore GmbH focusing on highly realistic penetration tests, red team engagements and purple team.

Patrick Pongratz

exercises.

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.