Operation Domain Dominance

Engagement Overview

This red team engagement was commissioned by a Fortune 500 technology company seeking to validate their security investments and test their incident detection and response capabilities. The objective was clear: gain access to the organization's most sensitive systems, including their Active Directory infrastructure, while evading detection by their security operations team.

---

Our Approach

Our red team began with extensive reconnaissance, gathering intelligence from public sources including social media, job postings, and corporate websites. This research helped us identify key personnel, technology stacks, and potential attack vectors.

The initial access vector was a carefully crafted spear-phishing campaign targeting employees in the IT department. We developed custom malware that would evade the client's endpoint detection and response (EDR) solution, delivered via a malicious document disguised as a vendor security report.

Within hours of launching the campaign, we had our first callback from a compromised workstation. From this initial foothold, we began mapping the internal network and identifying potential privilege escalation paths. We discovered several misconfigurations in Group Policy and outdated systems running vulnerable software.

Lateral movement was achieved through a combination of credential harvesting and exploitation of trust relationships between systems. We carefully timed our activities to avoid triggering alerts and used living-off-the-land techniques to blend in with normal administrative activity.

The culmination of our efforts came when we successfully compromised a Domain Controller, achieving full administrative access to the entire Active Directory forest. We demonstrated this access by creating a new domain administrator account and extracting the NTDS.dit database containing all user credentials.

---

Engagement Outcome

Throughout the engagement, the client's security operations center (SOC) failed to detect our activities, highlighting significant gaps in their monitoring and alerting capabilities. Our debrief with the client included a detailed timeline of our attack path, the specific vulnerabilities and misconfigurations we exploited, and comprehensive recommendations for improvement.

Key findings included insufficient network segmentation, over-privileged service accounts, inadequate logging and monitoring, and gaps in email security controls. We worked with the client to prioritize remediation efforts and develop a roadmap for improving their overall security posture.

This engagement demonstrated the value of objective-based red team assessments in identifying real-world attack paths that traditional vulnerability assessments might miss. By thinking like an adversary and employing the same tactics used by advanced threat actors, we helped the client understand their true risk exposure and make informed decisions about their security investments.