Operation Domain Dominance

A Tale of Complete Domain Takeover

  • Back to War Stories
  • Service Provided:
    Network/Host Penetration Testing
  • Client Industry:
    Contractor/Federal Government Agency
  • Company Size:
    +30k Employees

Engagement Overview:

This engagement was with a client supporting a federal government agency with a significant online presence. The agency's digital assets, including their internal systems, servers, and domain controllers, are a critical component of their service delivery, serving thousands of employees and processing a vast amount of sensitive data daily. The scope of the engagement was a comprehensive network/host penetration test, focusing on identifying vulnerabilities in the client's digital assets and assessing the security of their existing measures.

Our Approach:

Our engagement began with a client who was supporting a federal government agency. The client provided us with low-level credentials to one of the agency's domains, which marked the starting point of our penetration testing efforts. Leveraging advanced tools such as BloodHound, our team was able to enumerate and map out a direct path to the domain admin within this complex digital environment.
With a clear path established, our team initiated lateral movement across the domain. This involved accessing a system where a domain admin was logged in. To achieve this, we utilized proprietary techniques to obfuscate our tools' payloads, effectively bypassing the client's antivirus (AV) and endpoint detection and response (EDR) solutions.
Once inside the system, we escalated our privileges to that of a local system administrator using a modified binary for the Mimikatz software. With these elevated privileges, we extracted the hash of the credentials of the domain admin who was logged into the system. This was a significant milestone in our engagement, bringing us one step closer to a complete domain takeover.
Armed with the domain admin's hashed credentials, we used the 'pass the hash' technique to authenticate as the domain admin without needing to know the actual password. With this level of access, we dumped all 30k user accounts from the domain controller, effectively demonstrating our ability to perform a complete domain takeover. This operation not only highlighted potential vulnerabilities in the client's security measures but also underscored the importance of robust, multi-layered security controls in protecting against such threats.

Engagement Outcome:

Upon the completion of our penetration testing and the demonstration of a complete domain takeover, we worked closely with the client to remediate the identified vulnerabilities. This involved a thorough review of the client's security measures and the implementation of robust, multi-layered security controls to prevent such threats in the future.
One significant finding was the improper use of the domain admin account for normal user activities on the system. This practice not only violates the principle of least privilege but also increases the risk of compromise. We advised the client on the importance of using non-elevated accounts for regular activities and provided guidance on implementing this best practice.
In addition, our analysis revealed a weak password policy within the organization. After cracking the organization's passwords, we found that the existing policy did not adequately protect against common attack vectors. As a result, all account passwords had to be reset. We assisted the client in implementing a more secure password policy, incorporating elements such as complexity requirements, regular password changes, and the use of multi-factor authentication.
This engagement underscored the importance of robust security measures and the value of penetration testing in identifying and addressing vulnerabilities. By working closely with the client, we were able to not only remediate the immediate security risks but also enhance the overall security posture of the client's digital assets. This collaborative approach was instrumental in fostering a sense of partnership and mutual trust, which we believe is crucial for a successful engagement.