The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.
The project had severe time constraints, but it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and create internal attack scenarios that could further the infrastructure compromise.
The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.
The team discovered external vulnerabilities in the infrastructure, abusing unrestricted file upload for phishing and payload staging. In addition, phishing targets were collected with OSINT methods.
Custom initial access vectors and payload loaders were developed for the engagement. Mailing infrastructure, domain fronts and C2 servers were set up and configured.
A phishing attack was successfully carried out.
Hand-written download/execute macros, self-unpacking LNK files and custom shellcode loaders were used for execution.
Registry persistence was used for the payload.
Kerberos table service accounts and vulnerable folder redirection profiles were discovered and abused for domain privilege escalation.
Custom-built loaders and execution techniques were used to bypass EDR.
Available web sessions and password stores were dumped to gain access to local credentials.
Impact simulation was not conducted to avert business disruption.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
Do you want to know how your organisation will fare against an internal attack? Look no further than Tenendo’s Internal Adversary Simulation.
The Azure penetration test helped the client identify and remediate multiple issues and misconfigurations, harden their infrastructure and calculate potential risks.
