Prepared For: CISO, FinCorp Global
Date: February 7, 2026
Engagement ID: RT-2026-001
1. Document Control
This document contains proprietary information. Unauthorized distribution is strictly prohibited.
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | Jan 22, 2026 | Red Team Lead | Initial Draft & Analysis |
| 1.0 | Feb 07, 2026 | Senior Consultant | Final Review & Remediation Mapping |
2. Executive Summary
Overview:
FinCorp Global commissioned a Red Team assessment to evaluate the resilience of its internal network against a sophisticated external adversary. The operation was conducted over a 5-day period (Jan 15 - Jan 20, 2026).
The Red Team successfully compromised the organization's "Crown Jewels" (CEO's confidential merger plans) within 96 hours. The critical failure point was a lack of "Defense in Depth" — once the perimeter was breached via a development server, internal lateral movement was unimpeded due to excessive service account privileges.
Key Statistics
- Time to Initial Compromise: 4 Hours
- Time to Domain Admin: 48 Hours
- Blue Team Detection Rate: 25% (1 out of 4 major attacks detected)
(External) Jenkins Server ➔ (Internal) Dev VLAN ➔ Kerberoasting ➔ Domain Controller ➔ CEO Workstation
3. Scope & Rules of Engagement
The assessment followed the MITRE ATT&CK framework to emulate realistic threat actors (TTPs).
| In-Scope Assets | Description |
|---|---|
| 192.168.10.0/24 | Corporate User Network |
| 10.10.5.0/24 | Development Servers (Entry Point) |
| *.fincorp.com | External Web Applications |
Tools & Artifacts Used
The following tools were utilized during the engagement. Blue Team should reference these for IoC (Indicator of Compromise) hunting.
4. Detailed Attack Narrative
This section details the chronological steps taken by the Red Team to achieve the objectives.
Phase 1: Initial Access (The Breach)
Date: Jan 15, 09:30 AM
Technique: T1190 - Exploit Public-Facing Application
The Red Team performed open-source intelligence (OSINT) gathering and identified a sub-domain dev.fincorp.com running an outdated version of Jenkins. The instance allowed unauthenticated access to the /script console.
We executed the following Groovy script to establish a reverse shell back to our Command & Control (C2) server:
Impact: This provided us with a foothold inside the network as the nt authority\system user on the Jenkins server.
Phase 2: Internal Recon & Lateral Movement
Date: Jan 16, 02:15 PM
Technique: T1558.003 - Kerberoasting
Using the initial foothold, we deployed SharpHound to map the Active Directory trust relationships. We identified a Service Account named svc_sql_backup that had a Service Principal Name (SPN) set.
We requested a TGS ticket for this account and cracked it offline within 20 minutes. The password was weak: Password123!.
Phase 3: Domain Dominance
Date: Jan 17, 11:00 AM
Technique: T1003.006 - DCSync
Further analysis revealed that the svc_sql_backup user was part of the "Backup Operators" group but had been granted DS-Replication-Get-Changes-All extended rights on the Domain Controller. This is a critical misconfiguration.
We utilized mimikatz to perform a DCSync attack, effectively impersonating a Domain Controller to request the password hash of the Administrator account.
5. Technical Findings (Vulnerabilities)
CVSS Score: 9.8 (Critical)
Description: The Jenkins server exposed to the internet does not require authentication to access the script console, allowing arbitrary code execution.
Remediation:
- Place the Jenkins server behind a VPN.
- Enable "Matrix-based security" in Jenkins global security settings.
CVSS Score: 9.0 (Critical)
Description: The svc_sql_backup account has "Replication" rights. This permission should only be assigned to Domain Controllers, not service accounts.
Remediation:
- Remove "DS-Replication-Get-Changes" rights from the service account immediately.
- Implement tiered administration models.
6. Blue Team Gap Analysis
| Attack Phase | Technique | Time | Blue Team Visibility |
|---|---|---|---|
| Initial Access | Jenkins RCE | Jan 15, 09:30 | MISSED (No EDR on Dev Server) |
| Privilege Escalation | Kerberoasting | Jan 16, 02:15 | MISSED (Logs generated but not alerted) |
| Lateral Movement | SMB to CEO Laptop | Jan 18, 04:45 | DETECTED (Firewall flagged anomalous traffic) |
7. Post-Engagement Cleanup
The Red Team has removed all artifacts created during the engagement to restore the environment to its original state.
| Artifact | Location | Action Taken |
|---|---|---|
| beacon.exe | C:\Windows\Temp\ | Deleted |
| Scheduled Task "Updater" | Domain Controller | Removed |
| Created User "Support_Admin" | Active Directory | Account Deleted |
End of Sample Report (5 of 48 Pages)
0 Comments