A key differentiator of the NodeZero platform is that it autonomously navigates through your environment, choosing which exploit to run next depending on what it encounters, just as a threat actor does. It’s dynamic, not prescripted.
Here is the detailed description of a NodeZero autonomous attack that leveraged two weaknesses to achieve domain compromise in 33 minutes, 9 seconds.
NodeZero:
NodeZero was launched from host 10.0.222.200
NodeZero discovered the host 10.0.4.4.
NodeZero discovered the Java service on 10.0.4.4 port 1099
NodeZero discovered H3-2020-0022: Insecure Java JMX Configuration affecting the Java service on 10.0.4.4 port 1099
The C:\Windows\win.ini file was retrieved via the RCE vulnerability
NodeZero loaded a Remote Access Tool on host 10.0.4.4 to enable post-exploitation of H3-2020-0022: Insecure Java JMX Configuration
NodeZero leveraged the Remote Access Tool running as administrator on 10.0.4.4 to discover H3-2021-0042: Credential Dumping – Security Account Manager (SAM) Database
NodeZero discovered an NTLM Hash for cbr-user by exploiting H3-2021-0042: Credential Dumping – Security Account Manager (SAM) Database
NodeZero discovered Domain Controller 10.0.4.1 (dc01.pod04.h3airange.internal)
NodeZero discovered the SMB service on domain controller 10.0.4.1 (dc01.pod04.h3airange.internal) port 445
NodeZero verified the credential for domain admin cbr-user in domain POD04.H3AIRANGE.INTERNAL on the SMB service on domain controller 10.0.4.1 (dc01.pod04.h3airange.internal) port 445
Proof NodeZero achieved domain compromise and domain user compromise after 33 minutes, 9 seconds.
During the attack NodeZero leveraged 2 weaknesses:
The attack path involved 1 compromised credential:
The attack spanned 2 hosts:
Once a domain is fully compromised, all hosts, domain user accounts, data, infrastructure, and applications tied to that domain should be considered fully compromised. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised.
Remediating the Insecure Java JMX Configuration weakness would potentially eliminate 28% of critical impact paths. NodeZero provides the guidance to remediate the issues identified.