Cyber security is all in the preparation. The number of cyber attacks is constantly increasing, so improving your defences after a breach is too late. You have to be proactive in this industry. But there are only so many compliance assessments, vulnerability scans and security training sessions you can go to before you start to wonder: “What would actually happen if someone targeted my business?”
Red teaming answers that question.
A full red team engagement is usually the closest you can get to a real cyber attack without the devasting losses and penalties the real thing incurs. These engagements pit your systems, processes and employees against our team of world-class experts in the field, who use real-world techniques to expose and exploit flaws in your defences. This case study is the story of a real engagement against a high-profile target in the financial sector. Hopefully, it will give you an insight into how the team operates, and some tips on areas to look at within your security.
Objectives:
This red team engagement was designed to achieve specific objectives:
- Gain physical access to the corporate office.
- Bypass multi-factor authentication (MFA) mechanisms.
- Access specific datasets supplied by the client to demonstrate the extent of compromise.
- Prove the capability to compromise core applications, highlighting potential vulnerabilities.
Reconnaissance
To kick off an engagement, the red team has to gather as much information as possible on the target organisation. This sets the stage for the rest of the engagement, giving the team insights into how the organisation operates, what levels of cyber awareness there are within the organisation, and what methods of attack would best suit the target’s specific profile.
We started this engagement by using online resources such as LinkedIn, to explore the online presence around the target, giving us a list of names and numbers to base our research on. One paid resource yielded over 1100 contacts for the target.
Armed with all those names, our team compiled a list of potential email addresses to validate against Office 365. Using a common spraying technique, we checked each email address, confirming their validity and activity within the target organisation’s infrastructure. In total we identified nearly 1800 active email accounts, giving us plenty to work with during the engagement.
Our reconnaissance efforts were not limited to email addresses. To give themselves maximum flexibility in approach, the team also used the paid resource to identify mobile numbers associated with key personnel within the organisation. Despite many personnel having outdated or unavailable contact information, usually because they were no longer working for the target, we ended up with a list of 150 UK mobile numbers, which were the starting blocks for our assault on that target’s network.
Smishing Campaign
This is when the engagement shifts from research to action. The team drew up a smishing campaign to target their list of employee phone numbers to try to collect login credentials. The campaign involved a malicious domain dressed up to look like an Office 365 usage policy. As the first users started to interact with the campaign, we collected a lot of credentials, but that wasn’t enough. With multi-factor authentication active on all accounts, those credentials were useless without the accompanying session tokens.
However, our team are nothing if not resourceful. We used a full ADFS in Azure lab to reverse engineer the login process, and once we had a better understanding of the MFA system, started the smishing messages up again, and the session tokens started flowing free. We had access.
Using the harvested credentials, our consultants used a fresh Azure Windows machine to re-inject the browser and log in. The machine was synced to the smishing victim’s account, so we had free range over their entire Microsoft Edge profile, including passwords, history, and the ability to add our own phone number as a second MFA authentication mechanism.
To access the target organisation’s internal network and start pillaging the data and resources within, our team exploited the Citrix VDI environment using the victim’s credentials they had stolen. However, after logging in, it became clear that the victim was logged in and using Citrix at the same time, and by logging in from another machine, we had kicked them out. That’s generally something you’d notice and report.
With the clock ticking before the Security Operations Centre was alerted to their activities, the team continued enumerating the environment into the night. Real hackers don’t operate on normal working hours, so neither do we.
The next morning, our consultant attempted to run a payload (Cobalt Strike) and beacon to get internal persistence. We got the beacon call back as a local administrator within the Citrix environment, which was a huge breakthrough.
The celebrations were cut disappointingly short though, as immediately after getting the beacon, the hijacked account was disabled, and the team lost access to the environment. The victim had reported the smishing message.
After this, the team continued with the smishing for a while to collect more account credentials for use later in the engagement. By the end, we had credentials and MFA tokens for seven different accounts.
Infiltration Tactics
With the digital groundwork laid, we decided to let the smishing text chains cool down and focused on gaining access to the target’s office.
Two consultants arrived on the ground and started recon around the building, taking note of, entry points, how employees got into the building, as well as potential Wi-Fi access. This provided crucial intelligence for later access attempts, including confirming other minor details such as lanyard colours, which meant our operatives would be able to blend into the background as much as possible.
The next issue was what to attach to the lanyards. But that wasn’t hard to solve. In publicly accessible photos and videos on LinkedIn, Google, and TikTok, employees were displaying their ID badges for all to see, either around their necks or on their desks. Our consultants created replicas based on these to add to their disguises. These would fool anyone glancing their way, but wouldn’t be able to get through any scanners, which was a potential snag.
But again, it wasn’t a snag that lasted very long. On the first proper attempt of accessing the building, a member of the team simply blended into the flow of employee traffic to get in, in a move called ‘tailgating’. Sometimes confidence really does get you everywhere. With not so much as an eyebrow raised in their direction, they melted into the background of the office, settling down in the café to decide on the next move.
Surrounding our consultant was a group of hot desks, mostly occupied by employees with headphones on, buried deep in Teams calls. In an effort not to be disturbed as they went about trying to quietly smash apart the target’s cyber defences, our consultant dialled the rest of the team into a call and started to work on the main objective of the physical side of engagement; plugging in a rogue device for direct access to the internal network.
They attempted to plug in the device behind the desk equipment, but even after multiple attempts and configuration changes, it was clear that it could not be accessed, and this avenue was abandoned. With a fresh set of stolen credentials, the consultant accessed the VDI and tried to download another Cobalt Strike beacon for persistence. This time, the payload was captured by the target’s EDR.
As this all took place during working hours, our consultant knew the Security Operations Centre would be actively hunting them, so they packed up and bravely retreated out of the office before it got too hot. In total, they spent four hours under the target’s nose without being questioned once.
Undeterred by the initial setback, a second consultant ventured into the fray later the same day, simply tailgating their way into the building. They used yet another set of credentials and tried to use a slightly modified payload to bypass AV. It appeared to run with no AV flagging, but no access was granted, and they were also forced to abandon their efforts, but not before snapping a few souvenir pictures of the office. After an hour, they also left the building without any suspicion.
Evasion and Escalation
By this point, it was clear that accessing accounts was no problem, but evading detection while trying to escalate privileges within the target environment was proving more difficult. The formidable opponent for us on this cyber battlefield was enterprise-grade Microsoft Defender for Endpoint (MDE), which had repeatedly shut down our payloads and reported us to the SOC. It was being its usual effective self, but in red teaming, there’s always another way.
Knowing that more text messages would start to get suspicious, especially after at least one user had reported the smishing, email was the way to go for this new attack. While browsing through employee inboxes, we noticed a few emails from the CISO about security policy. This formed the basis of a new phishing campaign. They sent an email masquerading as the IT Service Desk on behalf of the CISO, asking users to accept a new BYOD policy as a result of recent suspicious activity (I wonder who might have been responsible for that). This fresh campaign successfully captured multiple credentials, re-establishing access to the Citrix environments.
Even in the digital world, sneaking around is often best done under the cover of night, outside working hours. This is because there are fewer ‘eyes on glass’. Capitalising on this window of reduced surveillance, our operatives put together a full Azure Lab running Microsoft Defender to craft a payload capable of fooling enterprise grade defences.
We accessed the Citrix environment around 9pm, using domains whitelisted through the Zscaler proxy. Immediately the beacon called home, without a whisper from MDE.
The MDE lab was vital to this stage of the engagement, as it allowed us to test every move before we made it for real, to make sure nothing triggered a response.
After running tooling tests in the lab to confirm memory scans weren’t being picked up, the team managed to kerberoast all service accounts within the domain. These hashes were put through a password cracking machine and an account was successfully retrieved.
However, after further tooling tests in the MDE lab, there was some bad news. Some tooling was being picked up by the system, but in the middle of the night, the team weren’t too worried about an immediate response from the SOC. Nevertheless, to protect their access they used the Cobalt Strike Beacon to create a reverse proxy outside the environment to one of their secure testing machines using an exfiltration proxy. An agent was dropped onto the machine, and with this proxy running it was possible to run tooling and not be detected.
This is where it gets technical. Or at least, more technical than it has been so far.
The team ran Certipy to enumerate the Active Directory Certificate Service within the targeted domain. One certificate was vulnerable to a trivial escalation technique, which enabled the team to successfully impersonate a domain admin user to gain a TGT ticket. This ticket could be used to perform elevated commands, effectively pulling the password hashes of all users within the domain, including the KRBTGT account.
Using the KRBTGT account it was possible to create a “golden ticket” – a forged TGT signed by the domain’s KRBTGT account. This golden ticket could be used to impersonate any user on any service on any machine in the domain. As a result, it’s probably the single most powerful secret you can obtain.
This gave us a very high level of privilege within the target. We could extract credential material from the domain and use it to regain Domain Admin access at any time.
This breakthrough came in the early hours of the morning, but the DA-level access was still available at 9am the next day. However, communications through the night had alerted the SOC, and access was lost around an hour later. That didn’t shut us out completely though. We could theoretically return to the office and use the highly privileged accounts to access sensitive information through the VDI. This remained theoretical though, because having completed all of our objectives, we concluded the engagement.
Despite the best efforts of the SOC and Microsoft Defender to thwart our operations, our team did what they do best and succeeded in their quest for access and control. With the potential for re-entry into the premises and further exploitation of highly privileged accounts, our team had proven the extent of their capabilities, and the vulnerabilities of the target’s infrastructure.
Impact and Recommendations
The red team engagement exposed critical vulnerabilities in the target’s cyber security system, highlighting the need for proactive remediation measures and enhanced security protocols.
Actionable Recommendations:
- Implement turnstiles and stringent physical access controls to stop people from being able to just wander in and use the hot desks.
- Adopt passwordless MFA solutions (e.g., FIDO2) to enhance authentication security and prevent the kind of smishing attack that got our team initial access to the VDI.
- Conduct regular cyber awareness training to educate employees on social engineering methods, smishing and tailgating.
- Review and secure Active Directory certificate services to mitigate credential-based attacks.
This red team engagement proves the critical importance of robust cyber security defences in today’s threat landscape. Even with a vigilant SOC and enterprise grade MDE, our experts still found a way to access sensitive information. OmniCyber Security’s meticulous approach, coupled with advanced emulation techniques, revealed vulnerabilities and provided actionable insights for enhancing cyber security resilience. Through proactive measures and continuous vigilance, organisations can navigate the complexities of cyber security and safeguard their digital assets against evolving threats.
About OmniCyber Security
OmniCyber Security is the partner of choice for businesses around the world, offering tailored solutions to address the most complex security challenges. With a team of world-class professionals and a commitment to excellence, OmniCyber Security empowers organisations to fortify their defences and navigate the ever-changing cyber security landscape with confidence.
Contact us today for more information about OmniCyber Security‘s comprehensive cyber security solutions, including red team engagements just like this one.
- Preparing for the Digital Operational Resilience Act (DORA)The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to strengthen the digital resilience of financial institutions and mitigate Information and Communications Technology… Read more: Preparing for the Digital Operational Resilience Act (DORA)
- ‘Tis The Season To Protect your Retail Business From AI Cyber ThreatsAs the 2024 holiday shopping season approaches, retailers everywhere are gearing up for a rush of online customers. This period, critical for annual sales, is also prime time for… Read more: ‘Tis The Season To Protect your Retail Business From AI Cyber Threats
- The Doggo Stole My Homework: How Phishing Kits Make Cyber Crime EasyCyber criminals all over the world have been using a new kit to easily create over 2000 phishing websites in Australia, Japan, Spain, the U.K., and the U.S. … Read more: The Doggo Stole My Homework: How Phishing Kits Make Cyber Crime Easy
- Cyber Security Isn’t Growing Fast Enough – And Our Needs Are Greater Than EverCyber security is in a worrying state. The global workforce of cyber security professionals stands at 5.5 million people, but with ever-increasing demand for their services, the number of… Read more: Cyber Security Isn’t Growing Fast Enough – And Our Needs Are Greater Than Ever
- PCI DSS 4.0: New Requirements for Merchants Using JavaScriptAs the deadline for PCI DSS 4.0 compliance approaches in March 2025, businesses must prepare for new security requirements related to websites using JavaScript and iFrames for payment pages.… Read more: PCI DSS 4.0: New Requirements for Merchants Using JavaScript