Full Report
Fortunately, they were professional red teamers. Unfortunately, they pwned the network
Analysis Summary
# Incident Report: Physical Breach and Network Escalation via Social Engineering
## Executive Summary
During a 2023 engagement, professional red teamers gained physical access to a corporate facility by posing as new IT employees and performing manual labor (shoveling snow) for the maintenance crew to build trust. This physical breach allowed for the installation of a rogue device (Raspberry Pi), which facilitated remote network compromise. By exploiting weak password policies and Active Directory Certificate Services (ADCS) vulnerabilities, the team achieved full Domain Admin privileges.
## Incident Details
- **Discovery Date:** The day following physical entry (Partially detected); Raspberry Pi discovered 2 weeks later.
- **Incident Date:** Winter 2023
- **Affected Organization:** Not disclosed (Client of Echelon Risk + Cyber)
- **Sector:** Not disclosed
- **Geography:** USA
## Timeline of Events
### Initial Access
- **Date/Time:** Winter 2023
- **Vector:** Social Engineering / Physical Security Breach
- **Details:** Red teamers exploited an open maintenance door. They built rapport with the maintenance crew by offering to shovel snow. Posing as new IT staff without badges, they convinced staff to swipe them into secure areas.
### Lateral Movement
- **Raspberry Pi Deployment:** A device with LTE and Ethernet was hidden behind trash cans in a conference room.
- **Network Mapping:** Remote access via the Pi allowed the team to map the network and locate Domain Controllers.
- **Credential Spraying:** Used seasonal passwords (e.g., "winter2023!") to compromise 50-60 employee accounts.
- **ADCS Exploitation:** Enumerated Active Directory Certificate Services to identify misconfigurations.
### Data Exfiltration/Impact
- **Privilege Escalation:** Successfully escalated to Domain Administrator access.
- **Network Control:** Full control over the identity infrastructure and access to network shares.
### Detection & Response
- **Discovery:** The maintenance team attempted to thank the IT department for the "new hires'" help with shoveling. IT confirmed no such employees existed.
- **Initial Response:** Security reviewed CCTV and attempted to track the rental car license plate.
- **Failed Remediation:** Despite knowing of an intrusion, security failed to locate the rogue Raspberry Pi, which remained active for two weeks until found by a janitor.
## Attack Methodology
- **Initial Access:** Social Engineering (Tailgating/Persuasion).
- **Persistence:** Rogue hardware (Raspberry Pi) hidden in a conference room.
- **Privilege Escalation:** Exploiting ADCS vulnerabilities (ESC1, ESC4, and ESC8).
- **Defense Evasion:** Physical concealment (hidden behind trash cans); blending in via "Ski Mask Bias" (acting like they belonged).
- **Credential Access:** Password spraying (seasonal/weak passwords).
- **Discovery:** Network scanning and AD enumeration.
- **Lateral Movement:** SMB/Network shares via compromised user credentials.
- **Impact:** Total Domain Compromise.
## Impact Assessment
- **Financial:** High potential risk (remediation costs and potential for data ransom).
- **Data Breach:** Full access to all data governed by Active Directory.
- **Operational:** Maintenance and IT silos allowed the intruders to remain active even after a suspicious event was reported.
- **Reputational:** Demonstrated significant gaps in physical security and employee awareness.
## Indicators of Compromise
- **Network:** Unexpected LTE traffic from within the building; unauthorized MAC addresses on conference room Ethernet ports.
- **File:** N/A (Focus on identity/certificate-based attacks).
- **Behavioral:** Maintenance staff "vouching" for unbadged individuals; seasonal password patterns used in rapid succession.
## Response Actions
- **Containment:** (Post-test) Removal of the Raspberry Pi by janitorial staff.
- **Eradication:** Revocation of rogue certificates and patching of ADCS templates.
- **Recovery:** Implementation of stricter physical access controls.
## Lessons Learned
- **The "Ski Mask Bias":** Employees often only recognize "crime" if it looks like a Hollywood heist; helpful/friendly behavior is rarely questioned.
- **Siloed Security:** The physical security/maintenance team and the IT team did not have a unified protocol for verifying new hires.
- **Incomplete Sweeps:** After an intrusion is confirmed, a comprehensive physical sweep for rogue devices is mandatory.
## Recommendations
1. **Physical Security Training:** Implement "No Badge, No Access" policies for all staff, including maintenance and contractors.
2. **Network Access Control (NAC):** Ensure NAC (e.g., 802.1X) is enforced on *all* ports, including those in public areas like conference rooms and AV closets.
3. **Password Policy:** Enforce complex passwords and prohibit seasonal/predictable patterns.
4. **Multi-Factor Authentication (MFA):** Deploy MFA across the entire environment to nullify the impact of successful password spraying.
5. **ADCS Hardening:** Audit and secure ADCS templates to prevent ESC1, ESC4, and ESC8 exploitation.