Introduction.

In the high-stakes world of enterprise cybersecurity, even the most fortified defenses can be breached. This whitepaper takes you inside the mind of a Lares adversarial engineer as we outline the advanced tactics used to successfully penetrate Fortune 100 companies. Get familiar with the evolving threat landscape and discover why a proactive, offensive approach to security is no longer optional but essential for protecting your organization’s most valuable assets and operations.

Open-Source Intelligence (OSINT) is a primary method utilized, leveraging tools such as Shodan.io and Google Dorks to identify vulnerabilities in public-facing assets. Additionally, advanced reconnaissance tools like reNgine and BBot are employed to automate the discovery of open ports, misconfigured services, and potential entry points.

Moreover, user and employee data, including usernames and email addresses, are often collected using tools like LinkedIn2Username and Hunter.io. This information is vital for subsequent social engineering and password-guessing attacks.

Once sufficient reconnaissance is completed, the focus shifts to gaining initial access.
Common methods include:

• Credential Theft and Reuse: Credentials obtained from previous breaches or public databases are tested against various company services. Password spraying tools like CredMaster are employed to automate the process, rotating IPs to avoid detection.
• Exploiting Web Vulnerabilities: Web servers running outdated software or vulnerable plugins, such as those in WordPress, are prime targets. Exploits like SQL Injection and Remote Code Execution (RCE) are used to gain a foothold on the server.
• Social Engineering: Tactics such as phishing emails and vishing (voice phishing) are used to deceive employees into revealing sensitive information or executing malicious payloads.
• Bypassing Multi-Factor Authentication (MFA): Despite its effectiveness, MFA can be bypassed using advanced techniques. One method involves MFA fatigue attacks, where an attacker triggers repeated MFA push notifications to the target user, hoping they will approve a login attempt out of frustration or by mistake. Another approach is session hijacking, where the attacker captures a legitimate session token after the user has successfully authenticated. By using this token, the attacker can gain access to the system without needing to pass the MFA challenge again.

Additionally, SIM swapping is a targeted technique where the attacker takes control of the victim’s phone number, allowing them to intercept SMS-based MFA codes.

Once initial access is gained, the next critical step is internal reconnaissance. This phase involves exploring the internal network to identify key systems, applications, and data repositories that could be potential targets.

• Enumerating Active Directory (AD): Attackers often start by querying the Active Directory to identify domain controllers, user accounts, and group memberships. Tools like BloodHound and PowerView are frequently used to map out the AD structure and identify high-value targets such as domain admins and service accounts. BloodHound is particularly effective in visualizing relationships within the AD environment, helping attackers spot paths to privilege escalation.
• Identifying Key Servers and Databases: Attackers will scan the network to locate servers hosting critical services like databases, file shares, and application servers. Tools like SharpHound or Responder can be used to gather information about these systems. By analyzing network traffic, attackers can identify unencrypted protocols or misconfigured services that can be exploited to move laterally.
• Gathering Credentials: Attackers often use tools like Mimikatz to extract credentials from memory or obtain password hashes that can be cracked offline. Additionally, they may search for configuration files, scripts, or scheduled tasks that store credentials in plaintext.
• Service Enumeration and Exploitation: Attackers look for running services, especially those with known vulnerabilities or weak configurations. They may exploit these services to gain higher privileges or access additional network segments.
• Lateral Movement: Using the information gathered during internal reconnaissance, attackers begin moving laterally across the network. Techniques such as Pass-the-Hash, Pass-the-Ticket, and exploiting trust relationships between systems are commonly employed at this stage.

This phase is critical because it allows attackers to deepen their foothold within the network and set the stage for further exploitation, privilege escalation, and eventual domain takeover.

Once inside the network, the next step is to escalate privileges to gain administrative control. This involves:

• Kerberoasting: Attackers target service accounts in Active Directory that have Kerberos Service Principal Names (SPNs) associated with them. By requesting a ticket for the service, attackers can retrieve a ticket-granting service (TGS) ticket, which is encrypted with the service account’s password hash. Tools like Rubeus are then used to extract the hash, which is cracked offline using tools like Hashcat to obtain the cleartext password.
• Exploiting ADCS Misconfigurations: Attackers can leverage Active Directory Certificate Services (ADCS) misconfigurations to request certificates that grant them elevated privileges. Using tools like Certify or Certipy, attackers identify vulnerable certificate templates and request a certificate that allows them to impersonate a domain admin.
• Local Privilege Escalation (LPE): On individual systems, attackers may exploit local misconfigurations such as unquoted service paths or DLL hijacking vulnerabilities. By placing a malicious executable or DLL in a location that the system erroneously loads with elevated privileges, attackers can escalate to SYSTEM or administrative levels.
• Dumping Password Hashes: Using tools like Mimikatz or Secretsdump, attackers dump NTLM hashes from the Local Security Authority Subsystem Service (LSASS) or from domain controllers. These hashes are then used to authenticate to other systems via pass-the-hash attacks or to further crack passwords offline.

With administrative privileges, the attacker moves laterally through the network,
compromising additional systems and services. Techniques include:

• Pass-the-Hash: Attackers use stolen NTLM hashes to authenticate to other systems without needing the cleartext password. This technique allows them to move laterally between systems within the same domain.
• Remote Desktop Protocol (RDP): With valid credentials or hashes, attackers can initiate RDP sessions to connect to other machines within the network. Tools like xfreerdp support pass-the-hash for RDP, allowing attackers to maintain stealth during lateral movement.
• SMB and PsExec: By leveraging the Server Message Block (SMB) protocol, attackers can remotely execute commands on other systems using tools like PsExec or Smbexec. These tools allow attackers to run commands as the local administrator on the target system, facilitating lateral movement.
• WMI Execution: The Windows Management Instrumentation (WMI) service allows attackers to execute commands on remote systems. By using wmiexec.py from the Impacket suite or the built-in wmic.exe command, attackers can move laterally without touching the disk, minimizing detection.

The ultimate goal of many attacks is to take full control of the domain, giving the attacker unrestricted access to all network resources. This is typically achieved by:

• Dumping NTLM Hashes from Domain Controllers: Attackers with elevated privileges can use tools like Secretsdump or Mimikatz to dump the NTLM hashes of all users and computers in the domain from the domain controller. These hashes can then be used to authenticate to any system in the domain, effectively giving the attacker control over the entire network.
• Creating Rogue Domain Admins: Attackers can use stolen credentials to create new domain admin accounts, ensuring they maintain access even if the original compromised accounts are detected and disabled.
• Modifying Group Policy Objects (GPOs): With domain admin access, attackers can modify GPOs to deploy malicious software or scripts across all systems in the domain, establishing persistence or creating backdoors.
• Pivoting to Cloud Services: Many organizations use hybrid environments with on-premises and cloud infrastructure. Domain admins often have elevated permissions in cloud services like Azure or Office 365. Attackers can use their on-premises domain admin access to compromise cloud accounts, further expanding their control.

To ensure long-term access, attackers establish persistence mechanisms that allow them to maintain control over compromised systems even after initial detection or system reboots. Key techniques include:

• Scheduled Tasks and Services: Attackers configure malicious tasks or services to run under the guise of legitimate processes. By scheduling tasks to execute at regular intervals or upon specific triggers, attackers can maintain access and ensure that their malware or backdoor remains active. Tools like schtasks.exe are often used to create or manipulate these scheduled tasks.
• Registry Changes: Attackers modify registry keys to establish persistence on critical systems. This can include adding entries in the Run or RunOnce keys to execute malicious scripts or binaries every time a user logs in. Additionally, attackers might create or alter Image File Execution Options (IFEO) to hijack legitimate processes or set up DLL hijacking by manipulating the search order for DLL files.
• Fileless Malware: Fileless techniques involve executing malicious code directly in memory without writing anything to disk. This reduces the likelihood of detection by traditional antivirus and endpoint detection and response (EDR) tools. Attackers often use tools like PowerShell or Windows Management Instrumentation (WMI) to execute commands and scripts that leave minimal traces.

Data exfiltration is a critical phase in the attack lifecycle, as it involves extracting valuable information from the target environment. Common exfiltration techniques include:

• Encrypted Channels: Attackers often use encrypted communication channels to exfiltrate data, making it harder for network security tools to detect and analyze the traffic. Tools like OpenSSH and stunnel are used to create secure tunnels for transferring data out of the network.
• Steganography: In some cases, attackers use steganography to hide data within legitimate files, such as images or videos. The data is embedded within the media file in a way that is not easily detectable by standard security tools.
• DNS Tunneling: Attackers can exfiltrate data by encoding it within DNS queries and responses. This method, known as DNS tunneling, takes advantage of the fact that DNS traffic is often allowed through firewalls without thorough inspection. Tools like dnscat2 facilitate this type of exfiltration.
• Cloud Storage Services: Attackers may upload stolen data to cloud storage services such as Dropbox, Google Drive, or AWS S3. These services are commonly used in enterprise environments, so traffic to and from them might not raise immediate suspicions.

.

The techniques outlined in this whitepaper highlight the critical need for a proactive and layered approach to security. By understanding and simulating the tactics used by adversaries, organizations can better prepare their defenses and reduce the risk of a successful breach.

Lares’ approach to security testing goes beyond traditional assessments, delivering a comprehensive suite of solutions to ensure that your organization is equipped to handle the most sophisticated threats.

For more information on how Lares can help secure your organization, visit www.lares.com.

To schedule a meeting with Lares you can access our scheduling tool here: go.lares.com/MeetWithLares