Skip to content
English
Customer portal
Go to goliathsec.com
  • There are no suggestions because the search field is empty.

Goliath Cyber - Internal Vulnerability & Penetration Testing 

Description of Work

Internal Vulnerability and Penetration Test

Using a remote field system or virtual machine inside the client environment, Goliath Cyber will perform three (3) different tests on the customer network. These tests are done from a non-authenticated, domain user, and domain administrative user roles. 

Non-Authenticated Testing

Using no information about the client environment and taking the vantage point of a rogue insider with no credentials or account, Goliath Cyber will perform an assessment of the network including the following items. These items are also in line and referenceable with the MITRE ATT&CK framework. Each element of testing has a publicly available, referenceable T# associated with 

Recon and Discovery 

Goliath Cyber will attempt to locate all assets and hosts on the customer network and map said assets to IP address, hostname, and joined domain (if the assets discovered are Windows machines). This will give the customer insight as to what is on their network and if all devices on the network are company approved devices. These results are presented to the client prior to any scanning and enumeration to confirm the scope of the assessment. Testing during this phase includes the following elements. 

  • Active Scanning and Vulnerability Identification(T1595)
  • Host Identification and Fingerprinting (T1592)
  • Network Enumeration and Identification (T1590, T1589)
  • Account Discovery (T1087)
  • Cloud Infrastructure Discovery (T1580)

Once this testing is complete, the results are compiled and used for further testing against the corporate network. 

Threat Emulation and Killchain Testing

Using common vulnerabilities both exploited by white hat penetration testers and blackhat hackers, Goliath Cyber will attempt to gain domain administrative access by using techniques that are known to typically evade Antivirus and SIEM/EDR systems. These methods include items such as chaining man-in-the-middle exploits such as lack of SMB signing, LLMNR and WPAD with more advanced evasion techniques using WMIExec, C# shellcode runners, domain fronting while exfiltrating data, amongst other techniques. Some of these methods are advanced and are only required if the network has a very mature network security posture. Various Resource Development and Initial Access techniques are used during this phase, including

  • Compromise Infrastructure (T1586)
  • Establish Accounts (T1585)
  • Obtain and Stage Capabilities (T1588 and T1608)
  • Trusted Relationships (T1199)
  • Valid Accounts (T1078)

Analysis and Exploitation

Using data and findings gained while performing vulnerability scanning activities, Goliath Cyber will examine the vulnerabilities, affected systems, and determine the best course of exploitation for the vulnerabilities. The goal of this phase is to compromise the host without causing any stability issues or triggering any defense mechanisms. 

Goliath Cyber will evaluate how effective the installed AV product is and if the product can be bypassed. This process is designed to detect blind spots within the antivirus product and identify any configuration changes that could be made to further strengthen the installed AV. 

The tactics used during this phase include the following 

  • Command and Scripting Interpreter (T1059)
  • Exploitation for Client Execution (T1203)
  • Native Windows API (T1106)
  • Windows Management Instrumentation (T1047)
  • System Services (T1569)

Credential Access and Abuse

Credential Access consists of techniques for stealing and abusing hashes, account names, passwords, and other items that could lead to host, network, or domain compromise. Some elements of this phase overlay with prior phases in the engagement process. 

  • Adversary Man In The Middle (T1557)
  • Brute Forcing (T1110)
  • Credentials and Password Stores (T1555)
  • Exploitation For Credential Access (T1212)
  • Forced Authentication (T1187)
  • Modify Authentication Process (T1556)
  • Network Sniffing (T1040)
  • OS Credential Dumping (T1003)
  • Kerberos Abuse (T1558)

Lateral Movement

Lateral movement consists of techniques that threat actors will use to enter systems, control systems, and rapidly spread infection to other systems on the network. This involves pivoting and use of multiple systems and accounts to gain privileged access to critical systems on the network. Elements of lateral movement include the following. 

  • Lateral Tool Transfer (T1570)
  • Remote Service Session Hijacking (T1563)
  • Remote Services (T1021)
  • Software Deployment Tools (T1072)
  • Alternate Authentication Methods (T1550)

The above will be used when user and/or local administrative access is gained from the hosts that are deemed in scope for the engagement. 

Domain User Authenticated Testing

Using either account information provided by the customer or account information gained during the assessment, Goliath Cyber will use a regular domain user account and examine the following areas of the client environment as it relates to active directory, group policy, privilege and device and network hardening.

  • Group Policy Discovery (T1615)
  • File and Directory Discovery (T1083)
  • Network Share Discovery (T1135)
  • Password Policy Discovery (T1201)
  • Peripheral Device Discovery (T1120)
  • Permission Group Discovery (T1069)
  • Process Discovery (T1057)
  • Remote System Discovery (T1018)
  • Software Discovery (T1082)
  • System Service Discovery (T1007)

Where relevant, findings and recommendations will be made on each of the above areas. 

Domain Administrative Authenticated Testing

Using domain administrative credentials, Goliath Cyber will log into each machine on the customer domain and perform the following tests. 

Patching Audit

By logging into each machine on the domain, Goliath Cyber will audit missing KB’s, patches, and registry changes that are indicative of missing patches and identifies deficiencies within the patch management system and process. 

Running Services Audit

Goliath Cyber will log into each machine and determine what services are running on said machines. The goal of this assessment is to determine if the machines are running malicious or non-business-related software, identify the affected machine(s) and guide remediation of said services and associated findings.

Documentation

Our report will include an executive summary, high-level recommendations for remediation, and a detailed technical findings section. The executive summary section will reiterate the scope and purpose of the project as well as list of key findings discovered during the assessment. A brief synopsis of remediation recommendations will follow the executive summary, which serves to highlight steps Customer can take to mitigate risk. The technical findings section will be compiled into a matrix by finding and each finding will include information regarding risk severity level, systems impacted, description of finding, business risk summary, recommendations for remediation and remediation effort level.

Project Documentation includes a combined report including:

  • Executive Level Summary of Findings and Recommendations
  • A quantitative overall risk score based on the average and impact of discovered vulnerabilities.
  • Managerial level results from penetration assessment which includes a narrative walkthrough of the steps
  • performed based on the project timeline.
  • Technical Findings of identified vulnerabilities, risk level, and recommendations for correction.
  • Presentation of Findings