The Attack Lifecycle

Initial Access

The scenario assumed the attacker has office employee-level access. However, it was still deemed necessary to outline initial attack vectors for an outside attacker.

[read more] Proof-of-Concept initial access attacks were developed and tested, including:

  • Wireless Evil Twin attacks.
  • USB keystroke injection attacks.
  • Abusing NLA with internal network and service RCE vulnerabilities for initial domain access.
  • Social engineering.[/read]

Local Privilege Escalation

Service misconfigurations were abused for LPE.

Command, Control, and Network filter evasion

EDR bypass and network filtering bypass techniques were developed and used to establish Command and Control.

Domain privilege escalation

Kerberoasting and password spraying were used to elevate domain privileges.

Credential access

Keystroke logging and credential dumping were used to obtain credentials for a segmented domain, where transfer processing servers reside.

Lateral movement

With the credentials available, RDP with the previously established C2 and EDR evasion techniques were used to gain access to the segmented infrastructure.

Segmented network enumeration

Once the network access to the processing segment was obtained, the penetration testing team performed password-hunting and service enumeration activities on the terminal virtual hosts. 

Credential hunting

An open share was discovered, containing employee manuals for processing operators. These manuals contained in unencrypted, unprotected form text files left over by previous and current employees with their authentication credentials, which allowed the security team’s complete access to both testing and production environments and databases.

Impact

At this point, on an agreement with the Customer, the adversary simulation activity was considered complete not to accidentally disrupt the normal workflow of the infrastructure.

Conclusion

The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities. Instead, the attackers relied on the human factor, weak password policies and password reuse, service and Active Directory misconfiguration, and weak segmentation measures to achieve the goal. Also, flaws in threat detection and response, endpoint protection, wireless protection, and security policies were discovered, something that is usually out of scope for an infrastructure penetration test.

 Despite mitigating all vulnerabilities discovered by a third-party company, the Client remained vulnerable to attacks and methods which a penetration test does not cover. Adversary simulation, in this case, has offered a completely different viewpoint on the security infrastructure of the Client, which allowed for preventing a threat of a similar real-world attack in the future.