Case Studies

Internal Adversary Simulation Case

The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.

schedule a call

The challenge

The team was tasked to perform an internal adversary simulation of an undisclosed worldwide FinTech company. The penetration test was conducted against the internal office infrastructure, with access provided by the client. The assessment was driven in a manner that simulated a malicious individual who has access to the client's internal network via several different techniques.

The solution

The team was able to lay out and demonstrate several attack paths that may be used to elevate initial access to administrative access in the production infrastructure. Several initial access methods were also demonstrated and verified.

How we did it

The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.

The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords and access to critical Web applications.

The Attack Lifecycle

Initial Access I

It was evident that there were wired network ports available. It was demonstrated how the attacker would directly gain access to the internal network, inspect broadcast traffic for initial information gathering, and conduct network-level attacks.

Initial Access II

It was discovered that there were corporate wireless networks with WPA-EAP authentication. Therefore, an Evil Twin attack was conducted.

Initial Access III

The domain endpoint configuration was proven to be vulnerable to keystroke injection attacks due to missing HID filtering and USB monitoring.

Initial Access IV

Phishing was also thoroughly explored as an initial access vector due to MS Word being in use.

Defense Evasion

The team discovered that network filtering or whitelisting was completely missing for the internal infrastructure. Custom techniques, tools and specifically crafted payloads were used to bypass execution restrictions and establish C&C.

Privilege escalation

Although local privilege escalation was not required for the attack path, the team discovered that DLL hijacking could potentially be leveraged for that.

Persistence

To demonstrate the lack of user-level persistence monitoring, several simple persistence approaches were used.

Reconnaissance

Active Directory enumeration was done by LDAPS relaying and BloodHound. Aside from vulnerabilities used in the kill chain, several AD misconfigurations and vulnerabilities were discovered, but not actively exploited during the engagement. The team also enumerated GPOs and performed advanced network reconnaissance.

Domain privilege escalation I

A misconfigured certificate template, suitable to be used for authentication, was discovered and exploited. As a result, domain admin TGT was obtained.

Domain privilege escalation II

Another approach to obtaining domain administrator was forced authentication + ADCS relay abuse for domain controllers.

Domain privilege escalation III

NTLM hash stealing could be abused on public shares with a relay to elevate domain privileges.

Domain privilege escalation IV

Two possible paths of GPO abuse were discovered. Either obtaining a local administrator password through sensitive information disclosure in GPO scripts, or by backdooring writable MSI files.

Lateral movement I

The team discovered that PSExec service creation could be used for lateral movement.

Lateral movement II

It was also evident that PSRemoting could be possible and is not covered by adequate monitoring.

Lateral movement III

As a domain admin, GPO immediate task creation could also be used for access and lateral movement.

Credential gathering I

DCSync attack was performed and it was noted that no mitigation or prevention techniques of domain synchronization from arbitrary domain-joined PCs are implemented.

Credential gathering II

The DPAPI backup key was dumped and used to steal stored authentication, saved logins and sessions.

Credential gathering III

It was also observed that LSASS protections are absent and this could be abused for credential stealing.

Credential gathering IV

Insecure password storage was present on some PCs, allowing for easy credential access.

Impact

After elevated access to domain-joined PCs was obtained, the possible infrastructure impact was demonstrated with lateral movement to Azure using the Pass-the-Cookie attack.

Conclusion

Your Cyber Resiliency is Our Passion