• Default credentials:
  • Commercial off-the-shelf (COTS) network devices often come with predefined default credentials for built-in administrative accounts.
  • Malicious actors exploit these credentials to gain unauthorized access to devices, including printers, scanners, security cameras, and IoT devices.
  • Default credentials can lead to lateral movement within a network, especially if devices like printers have privileged domain accounts loaded.
• Default service permissions and configuration settings:
  • Some services may have vulnerable configurations by default.
• Commonly found misconfigurations include:
• Insecure Active Directory Certificate Services (ADCS): ADCS manages Public Key Infrastructure (PKI) certificates within Active Directory (AD) environments. Misconfigurations can allow malicious actors to issue fraudulent certificates or escalate privileges.
• Examples of ADCS misconfigurations:
  • • • • ADCS servers with web-enrollment enabled, which can be exploited to obtain certificates for unauthorized access.
    • ADCS templates that allow low-privileged users to enroll and specify subject alternative names, leading to potential domain escalation.
    • Insecure legacy protocols/services: Vulnerable network services like Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) can be exploited for spoofing, poisoning, and relay techniques to gain unauthorized access.
  • Insecure Server Message Block (SMB) service: SMB is used primarily for file sharing. If SMB signing is not enforced, malicious actors can exploit it combined with name resolution poisoning to access remote systems without capturing and cracking hashes.

• Administrators often assign multiple roles to a single account, allowing these accounts to access a wide range of devices and services.
• A single compromised account can allow malicious actors to quickly move through a network without triggering detection measures.
• Common account separation misconfigurations:
• Excessive account privileges:
  • • Overly permissive account privileges can increase risk exposure and attack surface.
  • Privilege creep, resulting from organizational changes, can lead to excessive access and privileges, making it easier for malicious actors to gain unauthorized access and escalate privileges.
• Elevated service account permissions:
  • • Service accounts, used by applications to access resources, often require elevated privileges.
    • Malicious actors target these accounts due to their elevated permissions and the ability to request access by any valid domain user.
  • Kerberoasting is a technique used by malicious actors to crack service account credentials and gain control over these accounts.
• Non-essential use of elevated accounts:
  • • IT personnel often use administrator accounts for day-to-day tasks, increasing the risk of compromise.
    • Malicious actors prioritize obtaining valid domain credentials to gain visibility into the target domain and discover elevated accounts.
  • Targeting elevated accounts performing daily activities provides a direct path for domain escalation, increasing the attack surface for adversaries.

• Organizations may not optimally configure their host and network sensors for effective traffic collection and end-host logging.
• Such insufficient configurations can result in undetected adversarial compromises and limit the capability to develop enhanced baselines and detect anomalous activity.
• Examples of the impact of insufficient monitoring:
  • Lack of Comprehensive Monitoring: An assessment team observed an organization that had host-based monitoring but lacked network monitoring. While the organization could identify infected hosts, they couldn’t determine the source of the infection, making it challenging to prevent future lateral movements and infections.
  • Undetected Deep Access: An assessment team managed to gain persistent deep access to a large organization with a mature cybersecurity posture. Despite the team’s attempts at noisy activities to trigger a security response, the organization failed to detect the team’s lateral movement, persistence, and command and control (C2) activity.

• Network segmentation involves creating security boundaries by separating different portions of the network.
• Absence of network segmentation results in no security boundaries between user, production, and critical system networks.
• This lack of segmentation:
  • Allows malicious actors to move laterally across various systems without any hindrance once they’ve compromised a resource on the network.
  • Increases vulnerability to ransomware attacks and post-exploitation techniques.
• OT Environments at Risk: Insufficient segmentation between IT and operational technology (OT) environments endangers OT networks. Despite beliefs that OT networks are air-gapped and isolated from IT networks, assessment teams have often found connections, whether they are special purpose, forgotten, or accidental, that bridge the two, posing significant risks.

• Vendors release patches and updates to address security vulnerabilities, and poor patch management practices can leave systems vulnerable to attacks.
• Key issues related to poor patch management include:
• Lack of regular patching:
  • • Not applying the latest patches can expose systems to compromise from publicly available exploits.
    • Systems with known vulnerabilities are immediate targets for adversaries due to the ease of discovery through vulnerability scanning and open-source research.
    • Organizations should prioritize patching known exploited vulnerabilities.
• Examples of exploited vulnerabilities in public-facing applications include:
  • • • CVE-2019-18935 in Telerik® UI for ASP.NET on a Microsoft IIS server.
      • CVE-2021-44228 (Log4Shell) in an unpatched VMware® Horizon server.
  • Multiple CVEs in an unpatched Zimbra® Collaboration Suite.
• Use of unsupported operating systems (OSs) and outdated firmware:
  • • Using software or hardware no longer supported by vendors poses significant security risks as vulnerabilities are no longer patched.
    • Malicious actors can exploit these vulnerabilities to gain unauthorized access, compromise data, and disrupt operations.
  • Assessment teams often find organizations using unsupported Windows operating systems without critical updates like MS17-010 and MS08-67, which address remote code execution vulnerabilities.

• Malicious actors can bypass system access controls by exploiting alternate authentication methods within an environment.
• If an actor can collect hashes in a network, they can use these hashes for authentication through non-standard methods, such as:
  • Pass-the-hash (PtH) [T1550.002]: This technique allows attackers to mimic accounts without needing the clear-text password, enabling them to expand and solidify their access without being detected.
  • Kerberoasting: This is an efficient method for malicious actors to elevate privileges and move laterally across an organization’s network.

• Misconfigured smart cards or tokens:
  • In certain networks, especially government or DoD networks, accounts may be required to use smart cards or tokens for authentication.
  • Multifactor requirements can be misconfigured, resulting in password hashes for accounts that never change.
  • Even if the actual password isn’t used due to the smart card or token requirement, the static password hash remains an alternative credential for authentication.
  • If a malicious actor obtains an account’s password hash, they can use it indefinitely via the Pass-the-Hash (PtH) technique as long as that account exists.
• Lack of phishing-resistant MFA:
  • Some MFA forms are susceptible to phishing, “push bombing”, exploitation of the Signaling System 7 (SS7) protocol vulnerabilities, and “SIM swap” techniques.
  • Successful exploitation of these vulnerabilities can allow threat actors to access or bypass MFA-protected systems.
  • For instance, assessment teams have used voice phishing to trick users into providing missing MFA information. In one scenario, an assessment team, posing as IT staff, convinced a user to share their MFA code over the phone, granting the team access to the user’s email and other organizational resources.

• Data shares and repositories are primary targets for malicious actors due to the valuable information they contain.

• Improperly configured Access Control Lists (ACLs) can allow unauthorized users to access sensitive or administrative data on shared drives.

• Methods used by malicious actors:

  • Actors employ commands, open-source tools, or custom malware to search for shared folders and drives.
    • For instance, in one compromise, actors used the net share and ntfsinfo commands to search network shares. They also deployed a custom tool, CovalentStealer, to identify file shares, categorize files, and upload them to a remote server.
    • Ransomware actors have utilized tools like SoftPerfect® Network Scanner and SharpShares to enumerate accessible network shares in a domain.
  • Once they gain access, malicious actors can collect and exfiltrate data from these shared drives and folders. This data can be used for extortion, intelligence gathering, or planning further network compromises.
  • Assessment teams often discover sensitive information on network shares, such as cleartext credentials for various accounts, including domain administrators.
  • Even if direct access isn’t obtained from credentials in file shares, these shares can still provide valuable information about the target network, like its topology, service tickets, or vulnerability scan data.
  • Additionally, sensitive data and Personally Identifiable Information (PII) like scanned documents, social security numbers, and tax returns are often found on shared drives. This data can be exploited for extortion or social engineering purposes.

Poor credential hygiene can enable threat actors to gain initial access, maintain persistence, move laterally, and conduct other malicious activities, especially when phishing-resistant MFA isn’t in place. This category includes:

• Easily crackable passwords:

  • These are passwords that can be quickly guessed using minimal computing resources.
  • Common reasons for easily crackable passwords include short length (less than 15 characters) and lack of randomness (predictable or common passwords).
  • Such vulnerabilities arise from weak organizational password policies and inadequate user training.
  • Organizations should promote the use of password managers to help users generate and manage secure, random passwords.
  • Often, captured credentials are in the form of password hashes. To use these credentials, malicious actors might need to crack the hash to get the plaintext password. Tools like Hashcat, combined with password lists from public breaches, are commonly used for this purpose.
  • Assessment teams have cracked a significant portion of user passwords in networks, highlighting the vulnerability.

• Cleartext password disclosure:

  • Storing passwords in cleartext poses a significant security risk. If malicious actors access these passwords, they can impersonate legitimate users, erasing any accountability.
  • Threat actors often search for files (text files, spreadsheets, documents, configuration files) that might contain cleartext passwords. Finding these can allow them to escalate their access levels rapidly.
  • Tools like Snaffler are commonly used to locate cleartext passwords in systems.

Unrestricted code execution allows unverified programs to run on hosts, providing a gateway for malicious actors to execute arbitrary and harmful payloads within a network. This category encompasses:

• Initial Access via Phishing:

  • After deceiving a user through phishing, malicious actors often persuade the victim to execute code on their workstation. This typically involves running an unverified program that shouldn’t be operating within the network.

• Common Exploitation Techniques:

  • Both assessment teams and malicious actors frequently exploit unrestricted code execution using various methods:
    • Executables
    • Dynamic link libraries (DLLs)
    • HTML applications
    • Macros in office documents [T1059.005]
  • Scripting languages [T1059] are often used by actors to hide their activities [T1027.010] and bypass allowlisting measures. Allowlisting restricts applications and code by default, permitting only trusted entities.

• Exploiting Vulnerable Drivers:

  • Malicious actors can load vulnerable drivers onto a system. By exploiting known vulnerabilities in these drivers, they can execute code in the kernel. This grants them the highest level of system privileges, allowing them to fully compromise the device [T1068].