Incident Response to Domain Admin

How (not) to contain an incident

02 Sep 2024 - Proactive Labs

Here at Proactive Labs, we perform a range of different offensive security services, including Penetration Testing and Red Teaming. Red Teaming is a common type of engagement, offering our clients an insight into a realistic intrusion against their environment. Red Teaming is ultimately a test of an organisations people, processes and technology used to defend their environment.

One of our recent Red Team engagements had a shareable story, which our clients have given us permission to share - we won’t name them, but we thank them for allowing us to share this story.

After landing on a user endpoint on a recent Red Team engagement, an EDR alert was generated, which informed the defensive team of a potential compromise. We had escalated to local administrator, however:

  • We wanted to laterally move to more important systems.
  • Our user wasn’t privileged within the wider environment, or other hosts.
  • The machine account did not have any significant privileges within the domain.
  • LAPS was deployed, so credentials for local administrator accounts were not shared.

This is the point where we’d typically start trawling through file shares, looking for more methods of lateral movement in an attempt to escalate wider privileges.

Our initial implant was running as regsrv32 within the compromised users local folder. During escalation, we’d managed to inject our implant into a SYSTEM service.

Back to the EDR alert, the Incident Response (IR) team began their investigation; Instead of ‘isolating’ the endpoint and specific user, the IR team opted to connect to the compromised host over RDP and force us to log off.

Connecting to a compromised host is bad practice in general, even if handled correctly (such as connecting with the LAPS password or restricted admin). It likely alerts the attacker that they’ve been flagged, opens up opportunity for lateral movement, and can potentially remove forensic artefacts from memory.

Even worse in this case, the IR team used their privileged domain account (a member of Domain Admins!) to connect to our machine.

Because we’d escalated to system and had a second implant on the machine, extracting the users NTLM hash was a breeze, and we quickly gained Domain Admin.

When responding to an incident, ensure your team doesn’t make it worse by giving an attacker an easy opportunity to obtain domain dominance!