Case studies. Security

Internal adversary simulation

The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities.

The challenge

The penetration testing team was hired to perform an internal adversary simulation assessment for an undisclosed financial institution. The end goal of the test was to obtain network access and valid application authentication credentials to the internal protected processing segment. It should be noted that generic quarterly infrastructure penetration tests were performed by a third-party team and the Client has mitigated vulnerabilities detailed in previous penetration test reports.

The solution

The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.

The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords, and access to critical Web applications.

The Attack Lifecycle

Initial Access

The scenario assumed the attacker has office employee-level access. However, it was still deemed necessary to outline initial attack vectors for an outside attacker. Proof-of-Concept initial access attacks were developed and tested, including:

  • Wireless Evil Twin attacks.
  • USB keystroke injection attacks.
  • Abusing NLA with internal network and service RCE vulnerabilities for initial domain access.
  • Social engineering.

Local Privilege Escalation

Service misconfigurations were abused for LPE.

Command, Control, and Network filter evasion

EDR bypass and network filtering bypass techniques were developed and used to establish Command and Control.

Domain privilege escalation

Kerberoasting and password spraying were used to elevate domain privileges.

Credential access

Keystroke logging and credential dumping were used to obtain credentials for a segmented domain, where transfer processing servers reside.

Lateral movement

With the credentials available, RDP with the previously established C2 and EDR evasion techniques were used to gain access to the segmented infrastructure.

Segmented network enumeration

Once the network access to the processing segment was obtained, the penetration testing team performed password-hunting and service enumeration activities on the terminal virtual hosts. 

Credential hunting

An open share was discovered, containing employee manuals for processing operators. These manuals contained in unencrypted, unprotected form text files left over by previous and current employees with their authentication credentials, which allowed the security team’s complete access to both testing and production environments and databases.

Impact

At this point, on an agreement with the Customer, the adversary simulation activity was considered complete not to accidentally disrupt the normal workflow of the infrastructure.

Conclusion

The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities. Instead, the attackers relied on the human factor, weak password policies and password reuse, service and Active Directory misconfiguration, and weak segmentation measures to achieve the goal. Also, flaws in threat detection and response, endpoint protection, wireless protection, and security policies were discovered, something that is usually out-of-scope for an infrastructure penetration test.

 Despite mitigating all vulnerabilities discovered by a third-party company, the Client remained vulnerable to attacks and methods which a penetration test does not cover. Adversary simulation, in this case, has offered a completely different viewpoint on the security infrastructure of the Client, which allowed for preventing a threat of a similar real-world attack in the future.

Your Cyber Resiliency is Our Passion

schedule a call

WHY WORK WITH TENENDO?

Reducing high-severity vulnerabilities’ exposure by up to

97%

Reducing the cost of security testing, audit, and consulting by up to

30%


About security testing:

Post navigation