EDR product’s effectiveness evaluation
Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.
The challenge
The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.
The solution
The project had severe time constraints, but it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and create internal attack scenarios that could further the infrastructure compromise.
How we did it
The team was tasked to perform an external black box engagement of an undisclosed banking institution without any restrictions on techniques used to obtain access, aside from establishing basic Rules of Engagement (RoE). No prior information except the Customer name and RoE was provided to the penetration testing team. However, a previous agreement stated that lateral movement and post-exploitation should be limited to avoid disruption of normal workflow.
The Attack Lifecycle
Reconnaissance
The team discovered external vulnerabilities in the infrastructure, abusing unrestricted file upload for phishing and payload staging. In addition, phishing targets were collected with OSINT methods.
Resource Development
Custom initial access vectors and payload loaders were developed for the engagement. Mailing infrastructure, domain fronts and C2 servers were set up and configured.
Initial Access
A phishing attack was successfully carried out.
Execution
Hand-written download/execute macros, self-unpacking LNK files and custom shellcode loaders were used for execution.
Persistence
Registry persistence was used for the payload.
Discovery & Privilege Escalation
Kerberos table service accounts and vulnerable folder redirection profiles were discovered and abused for domain privilege escalation.
Defense Evasion
Custom-built loaders and execution techniques were used to bypass EDR.
Credential access
Available web sessions and password stores were dumped to gain access to local credentials.
Impact
Impact simulation was not conducted to avert business disruption.
Conclusion
The engagement showcases the expertise and capabilities of the penetration testing team, as well as the importance of regular security assessments to proactively identify and mitigate potential risks. By partnering with knowledgeable professionals and implementing robust security measures, the banking institution can safeguard their systems, data, and reputation in an increasingly complex threat landscape.WHY WORK WITH TENENDO?
Reducing high-severity vulnerabilities’ exposure by up to
97%
Reducing the cost of security testing, audit, and consulting by up to
30%
About security testing:
Internal Adversary Simulation case study
Do you want to know how your organisation will fare against an internal attack? Look no further than Tenendo’s Internal Adversary Simulation.
Payment processing API penetration testing
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.
