Red Teaming Case Study

To ensure the effectiveness of our client’s security implementations LIFARS frequently conducts red team engagements and penetration tests evaluating whether their systems can hold up to real world scenarios and stay resilient. Our cyber resiliency experts deliver calculated attacks against systems the same way black hat hackers do.
Red Teaming Case Study - Cyber Threat Hunting - Detect Advanced Threats Hiding In Your Network

In February, our client requested LIFARS Pen Testing Team to perform a red teaming as part of a due diligence exercise. The client, an international financial organization with over 5000 employees and 300 IPv4 addresses, understands the risks they face on a daily basis and the importance of meeting compliance with cybersecurity standards.

The intent of this assessment was to identify weaknesses in the company’s Internet facing infrastructure and to detail how these vulnerabilities could impact the organization.
Note: Information in this case study has been redacted to maintain confidentiality of our client

Attack summary

Starting the red team exercise, the LIFARS team prepared a spear phishing campaign focused on using 2 public vulnerabilities in Google Chrome. This campaign gained us the initial foothold as a targeted employee visited our website, exploit successfully executed and the client machine called home, i.e. connected to our C&C server. We got our first compromised host 10.10.14.3 in the network subnet 10.10.14.1/24.

After that, we moved laterally to another host, 10.10.14.5, by exploiting Nostromo (HTTP server) to gain access as a low privileged user (www-data). We escalated our privileges to root account by abusing suid, in this case the “find” program. Moving to our next host in this network 10.10.14.6, running on Windows 7, we successfully exploited a RDP vulnerability, “BlueKeep”. As this exploitation gained us the highest privileges NT AUTHORITY\SYSTEM, we moved into the post exploitation phase and found that this machine could see hosts in another network subnet – 10.10.15.1/24.

In this network we started with attacking host 10.10.15.15. A portscan revealed that the host was running a vulnerable version of a Rejetto HttpFileServer. After successful exploitation, we then had domain user account with low privileges and which we needed to escalate for a more thorough post-exploitation. We used Windows SMBv3 LPE “CoronaBlue / SMBGhost” (CVE-2020-0796) for privilege escalation. After we gained the information about the user accounts, passwords, configuration files, etc we moved to our main target – the domain controller running on 10.10.15.22.

Download “Red Teaming Case Study” to learn more