Corey Ham leads the ANTISOC team at BHIS, delivering continuous pentesting services. When he’s not working, you’ll find him out in the woods or on a mountain somewhere.

This article was originally published in the ANTISOC Issue (Continuous Penetration Testing) of our free infosec zine, PROMPT#. Find it free online HERE or order your $3 physical copy on the Spearphish General Store.

ANTISOC uses a mix of techniques from traditional penetration tests like red teams, cloud, web applications, externals, internals, and, of course, social engineering. We combine this mix of techniques with a wide-open scope, with the goal of going beyond what a typical pentest can discover.

Let’s dive into an example:

Carl was a helpdesk technician.

As one of only two technicians working for ACME Inc, he was responsible for anything and everything that users needed help with. Carl was always confused by how many users needed their passwords reset. How could people be so forgetful of something they use every day? This issue was compounded by the fact that the security team had recently added the requirement that all users must pick longer, more complex passwords. It was difficult to even describe to a user what the criteria were: 15 or more characters, including a variety of uppercase, lowercase, numerical, and special characters.

At first, he generated random passwords using the tool provided by the security team, but these were difficult to read to users over the phone. “M as in MARY, Janice, and by the way I think you need a new phone; I can barely hear you.” These random passwords were slowing things down too much. To save time, Carl came up with a secure password that was easy to dictate over the phone and met the password complexity requirements. He started assigning this password to all users who requested a reset, and it became second nature for him to recite it. He also set that password on any contractor accounts that expired because keeping track of all those different passwords was too complicated.

Carl figured the risks of doing this were minimal, as users would eventually change their passwords. What Carl didn’t realize is that when security changed the password policy to 15 characters, they also removed the requirement for users to change their passwords at a regular interval. This meant that over time, more and more users ended up using the identical password that had been set for them by Carl.

Eventually, an ANTISOC operator placed a social engineering phone call to Carl’s helpdesk and asked him to reset the password for a target user. Later, when the security team contacted him during an investigation, Carl found out that this particular password reset had led to an account compromise. The security team assured Carl that they had detected and contained the compromise, so he didn’t worry too much about it.

ANTISOC operators noted that the password set by Carl wasn’t random. They had obtained a listing of all users from Entra ID during post-exploitation and decided to spray Carl’s password across these accounts. This led to the compromise of more than 100 accounts that Carl had reset passwords for over the years.

Most of these accounts had multi-factor authentication (MFA) set up properly, but some had not been used in years and did not have MFA configured. ANTISOC operators slowly picked through each account, taking note of any accounts that had not completed MFA enrollment. They configured MFA for them and quietly enumerated what access they had. Some of this activity was detected by ACME Inc’s security team, but it was difficult for them to determine which accounts might be compromised, as they were not receiving full logs from Microsoft during the original password spray with Carl’s password.

With a handful of accounts enumerated that had remote access via virtual desktops, ANTISOC operators deployed a command-and-control presence within ACME Inc’s internal network environment. Instead of using a commercial C2, like Cobalt Strike, ANTISOC used SSH to tunnel network traffic from their devices into the ACME Inc network. This, combined with persistence tactics that replaced the zoom.exe binary in the user’s profile, led to a long-term compromise of ACME Inc by ANTISOC operators.

ANTISOC operators did their best to circumvent detection on the internal network by avoiding common attacks targeting Active Directory. Instead, they searched SharePoint and discovered a file containing shared credentials for SaaS applications. Most of these passwords were inconsequential, but some were for business-critical applications, like the automated backup solution used by ACME Inc. Within the web portal for this backup solution, operators could view and modify the backup contents from every computer that had been automatically backed up.

This same access, in the hands of a ransomware group, would have been devastating to ACME Inc.

After all of this had been reported, ACME Inc knew it would take months or years to fix all these issues. First, they created alerts for as much as possible so that they would receive early warning signs. Next, they changed the affected passwords and disabled open enrollment of MFA factors. They deployed endpoint detection and response (EDR) on all VDIs (virtual desktop infrastructure) and made sure that logging from Microsoft Azure was functional. They also disabled local logins to the backup solution, requiring authentication via SSO to access this tool.

---

---

---

---