Contact us: info@tenendo.com
How we did it
The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.
The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords and access to critical Web applications.
The Attack Lifecycle
Initial Access
Initial Access I
It was evident that there were wired network ports available. It was demonstrated how the attacker would directly gain access to the internal network, inspect broadcast traffic for initial information gathering, and conduct network-level attacks.
Initial Access II
It was discovered that there were corporate wireless networks with WPA-EAP authentication. Therefore, an Evil Twin attack was conducted.
Despite successfully evading monitoring in some cases, the endpoint configuration was deemed sufficiently secure against Evil Twin attacks, with the only devices vulnerable not configured by the domain policy.
Initial Access III
The domain endpoint configuration was proven to be vulnerable to keystroke injection attacks due to missing HID filtering and USB monitoring.
Initial Access IV
Phishing was also thoroughly explored as an initial access vector due to MS Word being in use.
For phishing pages, the modlishka MitM proxying approach was used. Emails sent were designed to most closely resemble current threat actor campaigns. It later became evident that employee training is on par with security recommendations, however, mailing misconfigurations that allowed for phishing were present.
Defense Evasion
The team discovered that network filtering or whitelisting was completely missing for the internal infrastructure. Custom techniques, tools and specifically crafted payloads were used to bypass execution restrictions and establish C&C.
Privilege escalation
Although local privilege escalation was not required for the attack path, the team discovered that DLL hijacking could potentially be leveraged for that.
Persistence
To demonstrate the lack of user-level persistence monitoring, several simple persistence approaches were used.
Reconnaissance
Active Directory enumeration was done by LDAPS relaying and BloodHound. Aside from vulnerabilities used in the kill chain, several AD misconfigurations and vulnerabilities were discovered, but not actively exploited during the engagement. The team also enumerated GPOs and performed advanced network reconnaissance.
Domain privilege escalation
Domain privilege escalation I
A misconfigured certificate template, suitable to be used for authentication, was discovered and exploited. As a result, domain admin TGT was obtained.
Domain privilege escalation II
Another approach to obtaining domain administrator was forced authentication + ADCS relay abuse for domain controllers.
Domain privilege escalation III
NTLM hash stealing could be abused on public shares with a relay to elevate domain privileges.
Domain privilege escalation IV
Two possible paths of GPO abuse were discovered. Either obtaining a local administrator password through sensitive information disclosure in GPO scripts, or by backdooring writable MSI files.
Lateral movement
Lateral movement I
The team discovered that PSExec service creation could be used for lateral movement.
Lateral movement II
It was also evident that PSRemoting could be possible and is not covered by adequate monitoring.
Lateral movement III
As a domain admin, GPO immediate task creation could also be used for access and lateral movement.
Credential gathering
Credential gathering I
DCSync attack was performed and it was noted that no mitigation or prevention techniques of domain synchronization from arbitrary domain-joined PCs are implemented.
Credential gathering II
The DPAPI backup key was dumped and used to steal stored authentication, saved logins and sessions.
Credential gathering III
It was also observed that LSASS protections are absent and this could be abused for credential stealing.
Credential gathering IV
Insecure password storage was present on some PCs, allowing for easy credential access.
Impact
After elevated access to domain-joined PCs was obtained, the possible infrastructure impact was demonstrated with lateral movement to Azure using the Pass-the-Cookie attack.
Conclusion
The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.