Case Study
See how we did it
Setting the Scene
Most organizations believe their security program is effective —
until they find out the hard way that it isn’t.
This interactive case study depicts what happened when Mandiant red teamers executed a real-world attack scenario, at a Fortune 500 financial organization's Human Resources department.
View how they did this step-by-step across the attack lifecycle.
Strategic Recommendations for Client
Mandiant red teamers performed both passive and active recon to discover externally available systems and employee names/roles from the client organization.
A job application portal was discovered where resumes could be submitted.
Initial Reconnaissance
Resumes containing malicious code were submitted to the client’s job application portal.
HR staff opened and enabled content found in the resumes, giving Mandiant remote access to HR user workstations and an initial foothold into the client's network.
Initial COMPROMISE
Red teamers obtained a Cobalt Strike beacon on the HR user's machine after content was enabled from the malicious resume.
This gave Mandiant an initial foothold in the client’s network.
ESTABLISH FOOTHOLD
Mandiant found and used an unquoted service path on the user’s compromised system to perform local privilege escalation (LPE).
Administrative access obtained by LPE allowed Mandiant to acquire credentials residing in memory on the compromised system.
ESCALATE PRIVILEGES
MAINTAIN PRESENCE
Red teamers queried the client’s Active Directory to find user data, computers and groups.
Mandiant observed that systems were not managed by Microsoft LAPS, which is a solution that provides unique administrative passwords for each system in an environment.
INTERNAL RECONNAISSANCE
Red teamers executed password sprays against systems not managed by Microsoft LAPS. Password reuse between these local admin accounts is common, unless Microsoft LAPS (or similar) is used to provide unique passwords for each system. Two hosts using the same credentials were found.
Then, using access to one of the identified hosts, a "printer bug" attack aided the domain controller to authenticate that system, where Mandiant captured the Kerberos Ticket Granting Ticket (TGT).
This allowed Mandiant to perform a DCSync attack, which then enabled retrieval of all NTLM password hashes for domain admins in the Active Directory.
MOVE LATERALLY
Click hotspots to uncover actions taken by Red Teamers
ATTACK LIFECYCLE
Initial
Reconnaissance
Initial
Compromise
Establish
Foothold
Escalate
Privileges
Internal
Reconnaissance
Complete
Mission
Move
Laterally
Maintain
Presence
Mandiant installed malware for re-entrance to the client’s network through SharPersist.
Startup folders – Mandiant added a specially crafted LNK file in the startup folder of compromised users.
Windows registry – Mandiant added Windows registry entries that can be used as persistence triggers on compromised user workstations.
This stage of the attack lifecycle includes additional steps meant for maintaining presence or exfiltrating data.
To learn more about what our Red Team did to complete this mission click the arrow.
Complete Mission
Completing the Mission
Mandiant red teamers used Domain Admin privileges to perform a DCSync attack to obtain the executive team's password hashes. This led to cracking three executive team
members' passwords.
Red teamers used one of the cracked executive's passwords to access his/her workstation, providing red teamers access to his/her email account.
MISSION COMPLETE
JUMP HOST
A system which acts as a bridge/gatekeeper between a corporate network and a sensitive network.
RDP CONNECTION
dcSync Attack performed
LOCATED JUMPHOSTS
Red teamers found corporate jumphosts which acted as the bridge/gatekeeper for Mandiant to access the client's sensitive production network.
Red teamers used Domain Admin privileges to query which users recently accessed the jumphosts.
A DCSync attack was performed for one of the target employees who recently accessed the jumphosts.
This employee's password was cracked, giving red teamers the ability to copy a payload to a coporate file share that was reachable by the jumphost.
Mandiant Connected via the Remote Desktop Protocol (RDP) to the jumphost from which the user accepted a Duo Push request sent by red teamers, since the jumphost had MFA enabled.
Mandiant executed the payload that resided on the corporate file share, providing a Cobalt Strike beacon on the jumphost used to pivot into the sensitive production network.
Mandiant accessed the client’s sensitive production network by pivoting through a jumphost.
Production
Network
Executive
Email
Strengthen their password policy through minimum password length and complexity requirements.
Introduce segmentation of systems through firewall access control lists.
Create social engineering awareness through regular phishing and vishing education training, including “resume caution” scenarios for HR personnel.
Engage with Mandiant again in 12 months to validate their new security implementations.
Executive Passwords
Select each icon to expand red team actions.
Click on icons to view red team activities
1
2
3
4
5
6
7
MANDIANT Red teaming:
Uncovering modern attack paths
MANDIANT KNOWS MORE ABOUT
CYBER THREATS THAN ANYONE
+1000
Engagements
in 2020
Machine Intelligence
15,000 network sensors
18M Endpoints
Tens of millions of malware detonations per hour
65M Emails Processed/Day
Adversary Intelligence
23 countries
30+ languages
180+ analysts and researchers
30K intel reports per year
200K
Hours
Responding to
Attacks Per Year
Operational Intelligence
4 Security Operations Centers
99M+ events ingested
21M+ alerts validated by Intel
BREACH INTELLIGENCE
15+ years of investigative expertise
20+ countries with consultants
400+ Red Team Exercises Per Year
VISIT OUR WEBSITE
Want to learn more about
Red Team Assessments?
