How a company gets compromised

I was speaking to a friend the other week who is learning cyber security and he wanted to know about how a company gets compromised, as in what does the attacker actually do step by step. I decided to write this to run through what an adversary does. By no means is this exhaustive, but it covers all of the main stuff that I can think of.

Step 1: Getting a foothold

This can be achieved a few ways, such as an adversary plugging in a computer to the company network, getting valid credentials and logging in over an exposed RDP server (valid creds might be phished or bought from dark web) or sending a malicious email and tricking the user into downloading and executing a Cobalt Strike (or similar C2) beacon. Last time I read about this, purchasing valid credentials and logging in with them was the most common way that adversaries gain a foothold.

Step 2: Getting the lay of the land

Once the adversary has a foothold, they will start to learn more about where they’ve landed. They may run built-in tools in Windows/Linux to find out network information, domain information or use a tool like Nmap to scan the network. If they’ve landed on a victim’s computer, they will go through the victim’s files and folders, check installed programs, scripts, anything that may be of use for escalating privileges or moving laterally within the environment.

Step 3: The spread

Once the adversary is comfortable with their position, they will start to look for ways to either move laterally or escalate privileges. The idea is that they want to compromise the company computer systems fully, so even in the case of wanting to move laterally, it’s almost always in pursuit escalating privileges.

Now at this stage there are many options, the adversary could:

I’ll go through each bullet point to give an idea of what the adversary may do, including tools they would use and commands.

Network protocol attacks (Man-in-the-middle)

There are a lot of network protocol attacks, and the conversation can get very technical very quickly, and I am trying to keep this high level, so I will go through the basics of a man-in-the-middle attack, a very common method to escalate privileges.

If the adversary is on the network, they can attempt to intercept traffic going to and from other computers on the network. Normal users, when they want to access something, often have to send their credentials because it requires authentication (this may happen unbeknownst to the user themselves, like accessing a network share). This credential material being sent over the network could be intercepted by an adversary, and relayed to another computer. So lets say the adversary captures authentication material for Bob. The adversary can then relay Bob’s material and authenticate as Bob to whatever the adversary targets, sort of like impersonating Bob. The adversary ideally wants to relay privileged credentials, and this is a common method of privilege escalation. Additionally, the credential material is basically a hashed password, and that can be taken offline and cracked in a tool like Hashcat.

The tools used in this attack are: Responder, mitm6 and ntlmrelayx. If relaying, it’s always Responder/mitm6 and ntlmrelayx. If not relaying, it’s just Responder.

Poisoning a computer, intercepting credential material and relaying it would look something like this:

mitm6 -d company.com

<snip>
IPv6 address fe80::3283:3 is now assiged to mac=b8:d3:2a:84:04 host=BOBS-LAPTOP.company.com. ipv4=
<snip>

impacket-ntlmrelayx -t ldaps://dc01.company.com -6 -smb2support

<snip>
[*] Servers started, waiting for connections
[*] HTTPD(80): Connection from 10.10.20.30 controlled, attacking target ldaps://dc01.company.com
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client 10.10.20.30
[*] HTTPD(80): Authenticating against ldaps://10.10.20.30 as COMPANY/DA_BOB SUCCEED
<snip>

Note both commands here are run simultaneously in two separate windows.

Active Directory

Active Directory is complex, and it is very easy to have misconfigurations which can lead to privilege escalation.

An adversary would find as much information about Active Directory as possible, getting information on all users, computers, groups and permissions. To do this, they would use a tool called Bloodhound. Any user in a domain can enumerate all of Active Directory. Nothing is hidden. Bloodhound is the best tool for this, and it allows you to upload the data and have it graphed out so it’s really easy to read and understand all of the different connections and relationships between all of the things in Active Directory.

The adversary will analyse the AD configuration in Bloodhound and look for ways to escalate privileges. For example, perhaps all domain users are in a group that allows Remote Desktop Protocol (RDP) connections to a development server. If so, that means the adversary can connect to the development server (lateral movement) and perhaps find a way to obtain credentials of a privileged user such as a developer or administrator (privilege escalation). Developers are notorious for being bad at security, and they are often privileged due to their work, so no doubt there will be scripts with plaintext credentials in somewhere on the computer.

Active Directory is a big beast, but this gives you an idea of what the adversary is looking for.

As stated above, the tool used here is Bloodhound, and to gather the data, the command is:

SharpHound.exe -c all -d company.com

When it’s uploaded into Bloodhound, the data is graphed and looks like this: (https://user-images.githubusercontent.com/17031267/48985201-6f587a00-f105-11e8-8355-98e38e08cc5e.png)

SMB Fileshares

This one is the easiest and feels like low hanging fruit. Basically the adversary will run a tool called Snaffler which will scan all network shares that the user has access to for sensitive data such as passwords. Very often, almost always, network share controls are excessive and normal users will have access to things they shouldn’t. It just takes a tool like Snaffler to find it.

Snaffler looks like this:

Snaffler.exe -d company.com

It will return an output of sensitive things found and colour code them according to the severity of the finding.

Active Directory Certificate Services

There are a few different ways authentication can be done in Active Directory, namely:

Certificates are lesser known but extremely important if they are being used, because it is very easy for them to be misconfigured and allow for privilege escalation abuse.

The adversary will use a tool called Certify to scan the domain for an Active Directory Certificate Services server. Basically, the server that handles certificates. The tool will then enumerate the configuration and tell the adversary if there’s any vulnerabilities. If there is, it’s usually always a path to privilege escalation, often total domain compromise.

It looks something like this:

Certify.exe find /vulnerable

<snip>
Action: Find certificate templates
Using the search base 'CN=Configuration,DC=company,DC=com'

Listing info about the Enterprise CA 'domain-CA'
  Enterprise CA Name:   company-CA
  DNS HostName:         company-ca.company.com
  FullName:             company-ca.company.com\company-CA
<snip>

Vulnerable Certificate Templates:
  CA Name:               company-CA
  Template Name:         UserAuthentication (or similar)
  Version:               version number
  Validity Period:       2 years
  Template-Name-Flag:    ENROLLEE_SUPPLIES_SUBJECT
<snip>

Step 4: Leapfrogging

Now an attacker, through any of the previous methods explained in Step 3, could already have achieved total domain compromise. However it’s also possible that they escalated privileges, but not to the highest level like a domain admin.

In this situation, they may look to start dumping credentials from computers they have already compromised. Lets say for example that they found developer credentials, and that developer is a member of an AD group that grants access to all development servers. And due to the nature of the work, that developer is local admin on all of those development servers. Effectively, the adversary has compromised all of those development servers by virtue of having the developer credentials. If you have full control over a computer, you can dump any credentials stored in memory on that computer. Due to how Active Directory and Windows works, if a domain administrator logs onto a development server, does whatever, and then logs off, his credentials remain in memory for a time. An adversary could use a tool like Mimikatz to basically steal those credentials out of memory.

Once the adversary has stolen the domain administrator credentials, it’s game over. But, it’s also possible they won’t get so lucky, and instead it will be credentials for another user. In that situation, the adversary will use that user’s credentials to log into whatever computers they control, and dump credentials for them as well. Then they will use those newly acquired credentials to log onto more computers and dump those, and so on and so forth. This is leapfrogging. I can’t remember if it’s a term people use or if I made it up, but that’s the idea. The adversary keeps hopping around and dumping creds all over the place until he finds his domain admin credentials.

Dumping credentials looks something like this:

mimikatz.exe

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 324740 (00000000:0004f674)
Session           : Interactive from 2
User Name        : billy
Domain           : COMPANY
SID              : S-1-5-21-1982657326-1120658403-1608285990-1000

        msv :
         [00000003] Primary
         * Username : test
         * Domain   : COMPANY
         * NTLM     : ce9e91f64345937af545eaf1f22d3bfb
         * SHA1     : a299912af3ae2de9a4abf6c30a93b0ac3e9a8c10

        tspkg :
         * Username : company\billy
         * Password : billypsw223!

Step 5: Victory

Once the adversary is domain admin (or enterprise admin, which is actually higher than domain admin), they can do whatever they want. Ransomware, steal secrets, turn off all the computers, put a meme as a wallpaper on everyone’s screen. There are a lot of ways for the adversary to win, and some of them are very easy. It’s important that companies have strong defences from top to bottom. Fortunately for hackers, most don’t.