Positive Technologies Experts published results of work on the internal pentest (for the report, 23 projects on internal penetration testing for 2019 were selected from among those companies that allowed the use of anonymized data). The analysis showed that almost half of all the actions of criminals may not differ from the usual activities of users and administrators.
The report states that in 2019 all tested companies managed to get full control over the infrastructure on behalf of an internal violator. As a rule, this took about three days, and in one network it took only 10 minutes. In 61% of companies, at least one simple way was revealed to gain control over the infrastructure, which even a low-skilled hacker could do.
According to experts, legitimate actions that allow you to develop an attack vector accounted for 47% of all Pentester actions. These include, for example, creating new privileged users on network nodes, creating a memory dump for the lsass.exe process, unloading registry branches, or sending requests to a domain controller. All these actions allow you to obtain the credentials of users of corporate networks or the information necessary for the development of an attack. The danger is that such actions are difficult to distinguish from the usual activities of users or administrators, which means that the attack goes unnoticed.
“During attacks on internal networks, the architecture of the OS and the authentication mechanisms of Kerberos and NTLM are usually used to collect credentials and move between computers. For example, an attacker can extract credentials from OS memory using special utilities, such as mimikatz, secretsdump, procdump, or OS built-in tools, for example taskmgr to dump the lsass.exe process memory. We recommend using current versions of Windows (above 8.1 on workstations or Windows Server 2012 R2 on servers). Privileged domain users should be included in the Protected Users group. In modern versions of Windows 10 and Windows Server 2016, Credential Guard technology is implemented that allows you to isolate and protect the lsass.exe system process from unauthorized access. For additional protection of privileged accounts, in particular domain administrators, it is worth using two-factor authentication, ”says Dmitry Serebryannikov, director of security analysis at Positive Technologies.
Testing also showed that an attacker could exploit known vulnerabilities that are contained in outdated software versions and allow you to remotely execute arbitrary code on a workstation, increase privileges, or learn important information. Most often, during testing, experts were faced with the lack of relevant OS updates. So, according to Pentecenter Positive Technologies, 30% of companies still can detect Windows vulnerabilities described in the 2017 security bulletin MS17-010, and in some even MS08-067 (October 2008).