Loading...
Red Team Advanced Breaching Simulations2021-04-28T13:14:58+00:00

Redbot Security’s Red Team

highly targeted breach and attack simulations

Your company’s ability to detect and respond to highly sophisticated threat actors will be the difference between a corporate strategy/planning exercise and making headline news. No matter how secure you think your company is now, security breaches can happen.

Real World – Redbot Security Red Team Attack

Redbot Security Red Team

real world breach and attack simulations that focus on goals

This is an actual attack that Redbot Security performed.

Stage 1

To start the engagement, our remote team attacked the external network while other Redbot Security Red Team engineers attacked the headquarters onsite.

Onsite red team members created fake badges using a remote RFID reader placed in a bag that captured RFID badge data from personnel exiting the headquarters building. Additionally, two outside RFID readers were bugged with devices to capture RFID badge data which could be retrieved wirelessly. With the planted devices, Redbot Security could also remotely open doors and use the created badges for inside access doors.

After entering the headquarters building, Redbot Security gain information such as hostnames, MAC addresses, and IP Addresses from printers by printing their configuration page. Using this information, Redbot Security changed its attacking virtual machine’s details to match different printers in the facility. This technique was used throughout the assessment to help avoid being caught by the SOC and to bypass NAC.

Mouse-jacking attacks were also performed against workstations to inject commands through vulnerable Bluetooth mouse and keyboard devices. Two devices successfully executed the commands and downloaded Redbot Security’s zip file containing a payload. Employees reported suspicious black command prompts to the help desk, who then alerted the SOC. The Darktrace security tool also alerted the SOC to suspicious zip file downloads.

While the mouse-jacking attack was underway, Redbot Security performed recon on the network using DNS scripts and tools to find systems that were present and to find which systems had port 445 open. During this recon phase, the defensive team was not aware of the scanning taking place.

Redbot Security also found that the conference room next to Redbot Security’s conference room had a system present that used an account, “bdroom”, which performed an auto-login to the system. By performing a memory-dump on the system and analyzing it offline, Redbot Security obtained the credentials for the “bdroom” user. Redbot Security then used these credentials to access various file shares and to perform an attack called, “Kerberoasting”, which allowed Redbot Security to obtain password hashes from Service Principal Names on the network.

During the engagement, Redbot Security also notice that the Forescout user account would attempt to authenticate to Redbot Security using SMB anytime Redbot Security changed its MAC address while on the network. Redbot Security exploited this action to relay the SMB hash (NetNTLMv2 hash) to systems that did not have SMB signing required. As the Forescout user had local admin privileges over workstations on the network, Redbot Security could relay the Forescout hash to gain admin access to the system and extract local password hashes. However, commands could not be executed using this method against a majority of Windows 10 workstations, that had configured Microsoft’s Attack Surface Reduction (ASR) rules to prevent services and commands from being executed remotely via WMI and PSExec.

In addition to dumping local hashes, Redbot Security found several systems on the network that were missing the MS17-010 critical security update. This allowed Redbot Security to exploit the systems and gain IT administrator credentials from memory. Using the IT admin credentials, Redbot Security accessed the SolarWinds server and gained the “svcsolarwinds” domain admin credentials from the system.

Redbot Security used “svcsolarwinds” to extract the NTDS.dit from  US domain controller. This file contained all user passwords in an NTLM format. Of 9800 NTLM hashes extracted, 1879 were cracked within 31 minutes, including passwords for privileged accounts such as a member of the RHEL_Admins group. Additionally, Redbot Security discovered that some credentials for critical service user accounts were stored with reversible encryption, allowing Redbot Security to obtain the password in cleartext without having to crack them.

Using the RHEL administrator credentials, Redbot Security accessed Splunk, Confluence, BitBucket, and Jenkins servers to gain additional information and access to other systems on the network. Documentation obtained from Confluence revealed the ECommerce environment architecture, including jump box host names, virtual center instances, and how to manage the environment. Due to excessive services enabled on the e-commerce Windows jump box, Redbot Security was able to bypass Duo two-factor requirements on RDP to obtain a reverse shell on the host, which was then used to disable Duo and RDP into the system. Afterwards, Redbot Security accessed the VMware vCenter/vSphere instance using a Domain Admin account added to the VMWare Admin domain group, permitting access to ECommerce hosts. Using the compromise RHEL admin credentials, Redbot Security gained access to the Power system, Payments system, production Jenkins systems, and simulated exfiltration of credit card data from the payments system through the Jenkins system out of the environment over DNS.

Lastly, Redbot Security performed “use-case” scenarios in coordination with the blue-team to simulate threats on the environment such as the following:

  • Concurrent Login Attempts
  • Brute Force using 300 logins
  • Default account activity detected
  • Detect Excessive Account Lockouts from Endpoint
  • Added a new Domain Admin
  • Critical priority host with malware
  • Add user to PeopleSoft Linux group

Are you prepared for a real-world attack?

Redbot Security Red Team - Targeted attack simulations

Is your company secure? Are you confident? Test your incident response and ability to recover from a breach.

Typically, a penetration test will look for  all vulnerabilities in a network or environment and attempt to exploit them, to  determine not only the risk of the exploitable vulnerability, but also the overall risk  and likelihood that this exploit will happen to the organization . Manual Controlled Penetration Testing is one of the most important parts of testing a company’s security controls and posture, helping organizations become aware of exploits and finding best practice remediation of  the  discovered vulnerabilities, however your company may still need a Red Team.   Think of a Red Team as a highly focused ninja looking to wreak havoc but undetected and getting to his flag, the smartest and quickest way possible.   

Is your organization looking to test your SOC, and threat detection skills.  A Red Team will expose the true risk your company is  facing with a sophisticated, targeted, highly focused attack. Are your detection and response capabilities lagging? Are your security engineers and analysts prepared to protect your most critical data and critical infrastructure? The best way to know is to  hire Redbot Security’s Red team to simulate a true, real-world bad actor’s path if they were to target your organization. 

Redbot Security Red Team Attack Simulation.

For Companies with mature security programs and Solutions in place, ready  to detect an attack, a Redbot Security Red Team Attack Simulation is the most  comprehensive way to determine the real and true effectiveness of your security program and controls.

WHAT IS A RED TEAM ATTACK SIMULATION?

A Redbot Security Red Team Breach  and Attack Simulation is a highly focused exercise that will test an organization’s defense, detection, and incident response capabilities. Redbot Security  will design a customized scope with specific goals that will properly emulate the threats you are currently facing. Our Red Team operators carry out real-world adversarial behavior and commonly used tactics, techniques, and procedures (TTPs) against which you can measure your program’s effectiveness and your team’s responsiveness in the context of an attempted breach.  This will enable  you to pinpoint potential risks, including technical and organizational gaps in your cybersecurity defenses. By using custom tools, scripts, social engineering, malware, and cutting-edge real world hacking techniques, Redbot Security can easily identify the gaps in your security monitoring, detection, and incident response, so your company stands strong,  fully ready to defeat the multitudes of  attackers. 

Reach out to us to discuss your next red team engagement, if you have questions or want to determine if your company is ready to defend against the best of the best.

Our red team engineers have more than just penetration testing skills and also come equipped with deep knowledge in networks and physical security.

Redbot Security Red Team Experts

Redbot Security’s read team experts are equipped with additional skill sets including network and physical security knowledge.

Personnel within our combined project team are Certified Incident Responders and Industrial Control System Certified – Incident Command System, FEMA, U.S Department of Homeland Security Cyber Emergency Response Team, OPSEC, Influence of Common IT Components ICS, Mapping IT Defense to ICS, Current Trends (threats) (vulnerabilities)– ICS, IT & ICS Attack Methodologies, ICS Domains, Determining the Impacts of a Cybersecurity Incident. Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT), EC Council Certified Ethical Hacker C|EH, Certified Digital Forensic Examiner (CDFE) Defense Cyber Crime Institute (DCITA) DoD, Certified Digital Media Collector (CDMC) Defense Cyber Crime Institute (DCITA) DoD, Certified Information Assurance Security Officer (IASO) DoD. Penetration Certification,   Security+, CCNP, CCNA, CCDP, CCDA, MCSE,  A+ CWNA CWDP and a variety of firewall and network solution Certifications.

Contact us to discuss your project!

Secure Contact
Project Timeline *
Preferred Method of Initial Response? *
Load More Posts