On November 21, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) providing details on a Red Team Assessment (RTA) they conducted at the request of a U.S. critical infrastructure organization to evaluate its cybersecurity defenses. The team gained initial access to the target by exploiting an internet-facing Linux web server, moved through the organization’s DMZ, and ultimately compromised its domain and sensitive business systems (SBS). This assessment highlighted lessons for improving detection, prevention, and resilience against adversarial tactics.

Note that based on the sensitivity of the critical infrastructure organization, and the red team engagement that was carried out, some of the technical implementation-specific information was not contained in the advisory. The recommendations that follow include a selection of scenarios that can be used to emulate some of the techniques mentioned in the advisory.

Persistence

The Red Team establishes persistence on Linux servers with the cron utility. For this technique AttackIQ recommends the following scenario:

• Scenario: Cron Job Persistence and Execution

The Red Team created a local administrator account on the targeted system. For this technique AttackIQ recommends the following scenario:

• Scenario: Create Account

Credential Access

The Red Team leveraged a modified version of Rubeus to acquire a ticket-granting ticket (TGT) and New Technology Local Area Network Manager (NTLM) hash and then used this ticket to gain administrative access to a host. For this technique AttackIQ recommends the following scenario:

• Scenario: Kerberoasting using Obfuscated Rubeus

The Red Team used DCSync to acquire the hash of several privileged accounts, including domain, enterprise, and server administrators. For this technique AttackIQ recommends the following scenario:

• Scenario: DCSync Attack

Discovery

The Red Team conducted a scan from inside the network to enumerate ports on target workstations, servers and domain controllers. They also scanned SMB port 445/TCP. For this technique AttackIQ recommends the following scenarios:

• Scenario: Open Ports Checker
• Scenario: Scan for Remote Systems with SMB, RDP, or LDAP Ports Open

The Red Team queried Lightweight Directory Access Protocol (LDAPS) over SSL to collect information about users, groups, group policy objects (GPO), and access control lists (ACL). For this technique AttackIQ recommends the following scenarios:

• Scenario: Permission Groups Discovery Script
• Scenario: Domain Administrator Accounts Discovery Via Net Command Script

Lateral Movement

Upon obtaining valid SSH private keys of user and service accounts, the Red Team was able to move laterally to other Linux hosts. For this technique AttackIQ recommends the following scenario:

• Scenario: Lateral Movement Through SSH

Command and Control

The Red Team utilized domain fronting to conceal outbound traffic, creating diversified communication channels between the domains and the persistent beacons. For this technique AttackIQ recommends the following scenario:

• Scenario: Web Request Communication – Domain Fronting

Exfiltration

The Red Team sent 1GB of mock sensitive information to an external host. For this technique AttackIQ recommends the following scenario:

• Scenario: Exfiltrate Files over HTTP

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by these threats, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends reviewing CISA’s recommendations and focusing on the techniques emulated in our previously released assessment template.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a considerable number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

Wrap-up

In summary, the recommendations as described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes and controls against these and similar threats. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against commonly used vulnerabilities.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.