Malleum Knowledge Base

Report Initial Part

3 min read

Executive Summary

This comprehensive report documents a simulated penetration test aimed at assessing the security posture of a corporate network with the ultimate goal of compromising the forest domain controller. The test was designed to emulate a sophisticated adversarial attack that strategically uses multiple cycles of lateral movement and privilege escalation. The test utilized a variety of attack techniques that align with the MITRE ATT&CK framework, each carefully chosen to exploit specific vulnerabilities within the network.

Key findings include several high-risk vulnerabilities that allowed for successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller. The report concludes with targeted recommendations for strengthening the network’s defenses, improving detection capabilities, and reducing the overall attack surface.

High-Level Summary

  • Key Vulnerabilities: Identified critical vulnerabilities included insecure service configurations, credential misuse, and several unpatched systems.
  • Attack Path: Demonstrated a multi-layered attack strategy involving four stages of lateral movement and multiple privilege escalations.
  • Impact: Full domain compromise was achieved, highlighting significant risks in current security practices and the potential for severe data breaches and system manipulation.

Write here any story what is there and how we obtained the machines

Key Findings

StageTarget SystemTechniqueCVSS ScoreImpact
1Web ServerPhishing7.5High
2WorkstationLocal Exploit8.0High
3Departmental ServerPass the Ticket7.4High
4Departmental ServerSoftware Exploit8.5High
5Domain ControllerRemote Desktop7.8High
6Domain ControllerToken Forging8.2High
7Admin Server

Attack Flow and Narrative

Stage 1: Initial Access

  • Target System: External Corporate Web Server
  • Technique: Phishing (T1566)
  • Details: Initiated the attack chain by exploiting a phishing attack to deliver and execute malware on a user’s workstation.
  • CVSS Score: 7.5 (High)

Stage 2: Privilege Escalation

  • Target System: User’s Workstation
  • Technique: Exploitation for Privilege Escalation (T1068)
  • Details: Used a local exploit to gain administrative rights on the user’s workstation.
  • CVSS Score: 8.0 (High)

Stage 3: First Lateral Movement

  • Target System: Departmental Server
  • Technique: Pass the Ticket (T1550.003)
  • Details: Leveraged stolen Kerberos tickets from the compromised workstation to access the departmental server.
  • CVSS Score: 7.4 (High)

Stage 4: Second Privilege Escalation

  • Target System: Departmental Server
  • Technique: Exploitation for Privilege Escalation (T1068)
  • Details: Exploited a vulnerability in third-party software to obtain domain-level credentials.
  • CVSS Score: 8.5 (High)

Stage 5: Second Lateral Movement

  • Target System: Secondary Domain Controller
  • Technique: Remote Services (T1021)
  • Details: Used domain credentials to access the secondary domain controller via Remote Desktop.
  • CVSS Score: 7.8 (High)

Stage 6: Third Privilege Escalation

  • Target System: Secondary Domain Controller
  • Technique: Forge Web Credentials (T1606)
  • Details: Forged authentication tokens to increase access privileges within the domain.
  • CVSS Score: 8.2 (High)

Stage 7: Third Lateral Movement

  • Target System: Main IT Administration Server
  • Technique: Lateral Tool Transfer (T1570)
  • Details: Transferred and executed a custom remote access tool to the main IT admin server.
  • CVSS Score: 7.5 (High)

Stage 8: Final Privilege Escalation

  • Target System: Forest Domain Controller
  • Technique: DCSync (T1003.006)
  • Details: Performed a DCSync attack from the IT admin server to replicate domain controller privileges.
  • CVSS Score: 9.0 (Critical)
Server IP AddressHostnameCompromisedLow-Privilege UserHigh-Privilege User
192.168.X.XHOSTNAMENoN/AN/A
192.168.X.XHOSTNAMEYesuserroot
192.168.X.XHOSTNAMEYesN/Aroot

Graph View