SecureTrust Cybersecurity

Penetration Testing Case Study: How We Prevented A Ransomware Attack

Vision healthcare provider case study

What Happened

SecureTrust was contracted to conduct an internal penetration assessment of internal network environments to evaluate network security posture.

All activities were conducted in a manner that simulated a malicious actor engaged in a targeted attack with the goals of:

  • Determining whether an attacker could bypass internal controls and compromise the internal domain.
  • Determining the impact of a security breach on:
    • Confidentiality/Integrity/Availability of Personal Identifiable Information/Personal Health Information (PII/PHI)

High Level Findings

SecureTrust was able to chain the following three common vulnerabilities together to obtain full domain compromise:

  • Over-privileged service/user accounts.
  • LLMNR/NetBIOS-NS spoofing.
  • SMB signing disabled.

Why SecureTrust?

SecureTrust is a leading provider of cybersecurity automation solutions. SecureTrust’s platform helps organizations to mitigate Intrusions and data exfilitration.

joshua a selvidge

Work Performed By

Joshua Selvidge

Case Study Overview

SecureTrust utilized an “assume breach” methodology when conducting this assessment. “Assume breach” assumes that an attacker has successfully breached an organization’s perimeter controls and obtained a persistent foothold on the internal network.

This approach is commonly used as it allows assessors to focus on testing an organization’s internal network security posture rather than spending limited engagement time on bypassing external controls.

To mimic an adversary that had successfully breached the client’s external defenses, SecureTrust sent a pre-configured form-factor PC onsite that was plugged into the server subnet.

Utilizing a secure VPN, SecureTrust assessors then connected to the device and conducted offensive operations against internal networks.

The Solution

Reconnaissance

Initial reconnaissance of the client’s local domain resulted in the discovery of numerous Windows systems, which were used to build a target list for follow on attacks.

Domain Accounts Identified

The majority of dumped credentials were local accounts, however, some domain accounts were found. Utilizing CrackMapExec, assessors were able to use the “pass-the-hash” technique with the NTLM hash for the local Administrator user to enumerate shares.

Requesting Kerberos Ticket

Assessors utilized “Rubeus” to request a valid Kerberos ticket. With a valid Kerberos ticket, users can effectively impersonate the user the ticket was issued for and interact with domain services.

Poison A LLMNR/NetBIOS Response

Assessors were immediately able to poison a LLMNR/NetBIOS response and capture a NTLMv2 hash for the “Services” user.

Enumerating Domain Admin

During this phase, local accounts were also dumped from database servers; SecureTrust did not attempt further exploitation against production databases to avoid possible interruption of services, but it would have been feasible

Cracking The Hash

Using the same imported Kerberos token, assessors then successfully attempted to use PsExec, a SysInternals tool for remote system management to access the domain controller.

Extracting All Domain Password Hashes

Once on the attacker host, the NTDS.DIT file was decrypted and dumped using impacket-secretsdump​ tool, providing access to all user and machine password hashes in the domain. At this point, the domain is effectively compromised.

The Outcome

The client took the results of the internal pen test and immediately reached out to their IT provider to action recommendations. SecureTrust provided a retest 6 weeks after the initial test was conducted and confirmed the remediation of vulnerabilities found. As a result, the client was able to greatly improve their security posture and meet annual HIPAA compliance requirements.

Our Services Work Better Together

Virtual
CISO

Network
Security

Vulnerability Management

Penetration Testing

Ready To Get Secure?​

Reach Your Security Goals With An Affordable Turnkey Solution