See how we did it
Setting the Scene
Most organizations believe their security program is effective —
until they find out the hard way that it isn’t.
This interactive case study depicts what happened when Mandiant red teamers executed a real-world attack scenario, at a Fortune 500 financial organization's Human Resources department.
View how they did this step-by-step across the attack lifecycle.
Strategic Recommendations for Client
Mandiant red teamers performed both passive and active recon to discover externally available systems and employee names/roles from the client organization.
A job application portal was discovered where resumes could be submitted.
Resumes containing malicious code were submitted to the client’s job application portal.
HR staff opened and enabled content found in the resumes, giving Mandiant remote access to HR user workstations and an initial foothold into the client's network.
Red teamers obtained a Cobalt Strike beacon on the HR user's machine after content was enabled from the malicious resume.
This gave Mandiant an initial foothold in the client’s network.
Mandiant found and used an unquoted service path on the user’s compromised system to perform local privilege escalation (LPE).
Administrative access obtained by LPE allowed Mandiant to acquire credentials residing in memory on the compromised system.
Red teamers queried the client’s Active Directory to find user data, computers and groups.
Mandiant observed that systems were not managed by Microsoft LAPS, which is a solution that provides unique administrative passwords for each system in an environment.
Red teamers executed password sprays against systems not managed by Microsoft LAPS. Password reuse between these local admin accounts is common, unless Microsoft LAPS (or similar) is used to provide unique passwords for each system. Two hosts using the same credentials were found.
Then, using access to one of the identified hosts, a "printer bug" attack aided the domain controller to authenticate that system, where Mandiant captured the Kerberos Ticket Granting Ticket (TGT).
This allowed Mandiant to perform a DCSync attack, which then enabled retrieval of all NTLM password hashes for domain admins in the Active Directory.
Click hotspots to uncover actions taken by Red Teamers
Mandiant installed malware for re-entrance to the client’s network through SharPersist.
Startup folders – Mandiant added a specially crafted LNK file in the startup folder of compromised users.
Windows registry – Mandiant added Windows registry entries that can be used as persistence triggers on compromised user workstations.
This stage of the attack lifecycle includes additional steps meant for maintaining presence or exfiltrating data.
To learn more about what our Red Team did to complete this mission click the arrow.
Completing the Mission
Mandiant red teamers used Domain Admin privileges to perform a DCSync attack to obtain the executive team's password hashes. This led to cracking three executive team
Red teamers used one of the cracked executive's passwords to access his/her workstation, providing red teamers access to his/her email account.
A system which acts as a bridge/gatekeeper between a corporate network and a sensitive network.
dcSync Attack performed
Red teamers found corporate jumphosts which acted as the bridge/gatekeeper for Mandiant to access the client's sensitive production network.
Red teamers used Domain Admin privileges to query which users recently accessed the jumphosts.
A DCSync attack was performed for one of the target employees who recently accessed the jumphosts.
This employee's password was cracked, giving red teamers the ability to copy a payload to a coporate file share that was reachable by the jumphost.
Mandiant Connected via the Remote Desktop Protocol (RDP) to the jumphost from which the user accepted a Duo Push request sent by red teamers, since the jumphost had MFA enabled.
Mandiant executed the payload that resided on the corporate file share, providing a Cobalt Strike beacon on the jumphost used to pivot into the sensitive production network.
Mandiant accessed the client’s sensitive production network by pivoting through a jumphost.
Strengthen their password policy through minimum password length and complexity requirements.
Introduce segmentation of systems through firewall access control lists.
Create social engineering awareness through regular phishing and vishing education training, including “resume caution” scenarios for HR personnel.
Engage with Mandiant again in 12 months to validate their new security implementations.
Select each icon to expand red team actions.
Click on icons to view red team activities
MANDIANT Red teaming:
Uncovering modern attack paths
MANDIANT KNOWS MORE ABOUT
CYBER THREATS THAN ANYONE
15,000 network sensors
Tens of millions of malware detonations per hour
65M Emails Processed/Day
180+ analysts and researchers
30K intel reports per year
Attacks Per Year
4 Security Operations Centers
99M+ events ingested
21M+ alerts validated by Intel
15+ years of investigative expertise
20+ countries with consultants
400+ Red Team Exercises Per Year
VISIT OUR WEBSITE
Want to learn more about
Red Team Assessments?