How we did it

The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.

The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords and access to critical Web applications.

The Attack Lifecycle

Initial Access

Initial Access I

It was evident that there were wired network ports available. It was demonstrated how the attacker would directly gain access to the internal network, inspect broadcast traffic for initial information gathering, and conduct network-level attacks.

Initial Access II

It was discovered that there were corporate wireless networks with WPA-EAP authentication. Therefore, an Evil Twin attack was conducted.

Despite successfully evading monitoring in some cases, the endpoint configuration was deemed sufficiently secure against Evil Twin attacks, with the only devices vulnerable not configured by the domain policy.

Initial Access III

The domain endpoint configuration was proven to be vulnerable to keystroke injection attacks due to missing HID filtering and USB monitoring.

Initial Access IV

Phishing was also thoroughly explored as an initial access vector due to MS Word being in use.

For phishing pages, the modlishka MitM proxying approach was used. Emails sent were designed to most closely resemble current threat actor campaigns. It later became evident that employee training is on par with security recommendations, however, mailing misconfigurations that allowed for phishing were present.

Defense Evasion

The team discovered that network filtering or whitelisting was completely missing for the internal infrastructure. Custom techniques, tools and specifically crafted payloads were used to bypass execution restrictions and establish C&C.

Privilege escalation

Although local privilege escalation was not required for the attack path, the team discovered that DLL hijacking could potentially be leveraged for that.

Persistence

To demonstrate the lack of user-level persistence monitoring, several simple persistence approaches were used.

Reconnaissance

Active Directory enumeration was done by LDAPS relaying and BloodHound. Aside from vulnerabilities used in the kill chain, several AD misconfigurations and vulnerabilities were discovered, but not actively exploited during the engagement. The team also enumerated GPOs and performed advanced network reconnaissance.

Domain privilege escalation

Domain privilege escalation I

A misconfigured certificate template, suitable to be used for authentication, was discovered and exploited. As a result, domain admin TGT was obtained.

Domain privilege escalation II

Another approach to obtaining domain administrator was forced authentication + ADCS relay abuse for domain controllers.

Domain privilege escalation III

NTLM hash stealing could be abused on public shares with a relay to elevate domain privileges.

Domain privilege escalation IV

Two possible paths of GPO abuse were discovered. Either obtaining a local administrator password through sensitive information disclosure in GPO scripts, or by backdooring writable MSI files.

Lateral movement

Lateral movement I

The team discovered that PSExec service creation could be used for lateral movement.

Lateral movement II

It was also evident that PSRemoting could be possible and is not covered by adequate monitoring.

Lateral movement III

As a domain admin, GPO immediate task creation could also be used for access and lateral movement.

Credential gathering

Credential gathering I

DCSync attack was performed and it was noted that no mitigation or prevention techniques of domain synchronization from arbitrary domain-joined PCs are implemented.

Credential gathering II

The DPAPI backup key was dumped and used to steal stored authentication, saved logins and sessions.

Credential gathering III

It was also observed that LSASS protections are absent and this could be abused for credential stealing.

Credential gathering IV

Insecure password storage was present on some PCs, allowing for easy credential access.

Impact

After elevated access to domain-joined PCs was obtained, the possible infrastructure impact was demonstrated with lateral movement to Azure using the Pass-the-Cookie attack.

Conclusion

The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.