Threat Research

CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth | CISA

CISA

CISA conducted the SILENTSHIELD red team operation against a large U.S. Federal Civilian Executive Branch organization, emulating nation-state TTPs to test detection, response, and hunt capabilities over eight months. The assessment highlights defense-in-depth, behavior-based detection, robust logging, and the risk of cross-domain trust, detailing exploitation of an unpatched Solaris web server vulnerability (CVE-2022-21587), credential access, lateral movement into Windows and external partner networks, and extensive persistence techniques. #SILENTSHIELD #CISA #SolarisEnclave #WindowsDomain #FederalCivilianExecutiveBranch #CVE-2022-21587 #Kerberoasting #DCSync #DomainTrust #ExternalPartner

Keypoints

  • Eight-month SILENTSHIELD red team engagement against a large FCEB organization, with no-notice, long-duration emulation of nation-state techniques and collaboration with defenders to improve detection and response.
  • Initial access achieved via two paths: exploiting an unpatched Solaris enclave web server vulnerability (CVE-2022-21587) and phishing for Windows credentials, leading to full domain compromise.
  • Pivoting leveraged weak/old credentials, local accounts, and trust relationships with external partners, enabling cross-domain movement into partner domains.
  • Extensive lateral movement and persistence used SSH, SOCKS proxies, reverse tunnels, domain admins, and diverse beacons to blend with normal activity and evade detections.
  • Defense gaps identified across logs, EDR/AV, IDM, access controls, and network segmentation, emphasizing a shift to behavior-based detection and “allowlist” approaches over “denylist” IOCs.
  • Key lessons: insufficient controls, poor log collection/retention, bureaucratic silos, reliance on known IOCs, and inadequacies in IDM and host segmentation.
  • Noted strengths include remediation efforts (Windows service accounts, egress controls, IDM improvements, and Solaris password hygiene) and a collaborative, defense-focused SOC engagement phase.

MITRE Techniques

  • [T1594] Reconnaissance: Search Victim-Owned Websites – The red team used open source tools and third-party services to probe the organization’s internet-facing surface. ‘The red team used open source tools and third-party services to probe the organization’s internet-facing surface.’
  • [T1590.002] Gather Victim Network Information: DNS – The team conducted DNS enumeration and non-intrusive port scans to reveal surface details. ‘non-intrusive port scans for common ports and Domain Name System (DNS) enumeration.’
  • [T1589.003] Gather Victim Identity Information: Employee Names – The team harvested employee names to derive targeted emails. ‘harvested employee names’ ‘used the information to derive email addresses based on the target’s email naming scheme.’
  • [T1591.004] Gather Victim Org Information: Identity Roles – Targeted individuals based on roles for phishing and access. ‘selected several phishing targets who regularly interacted with the public.’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 traffic over web protocols enabled by a compromised server. ‘RAT enabled consistent command and control (C2) traffic’.
  • [T1571] Non-Standard Port – SSH used over non-standard ports for C2. ‘beaconing over TCP 80 and 443’ (non-standard usage described).
  • [T1090.004] Proxy: Domain Fronting – Traffic redirected/obfuscated via domain fronting. ‘domain fronting to redirect and obfuscate their traffic.’
  • [T1110.002] Brute Force: Password Cracking – Weak password cracking to obtain credentials. ‘cracked the account’s password using a common wordlist.’
  • [T1558.003] Kerberoasting – Kerberoasting yielded a weak-credential service account. ‘kerberoasted the domain, yielding one valid service account with a weak password’.
  • [T1003.006] OS Credential Dumping: DCSync – Domain credentials obtained via DCSync for full access. ‘pulled credentials for the domain via DCSync to gain full access to the domain.’
  • [T1552.003] Unsecured Credentials: Bash History – Plaintext credentials found in a user’s .bash_history. ‘plaintext password in a user’s .bash_history.’
  • [T1021.004] Remote Services: SSH – Lateral movement using SSH with valid accounts. ‘used SSH with a valid account to move through the enclave.’
  • [T1090] Proxy – SOCKS proxy to hide source and traffic patterns. ‘The red team used a SOCKS proxy to avoid direct connections to their infrastructure and obscure the source of the malicious traffic.’
  • [T1574.014] Hijack Execution Flow: AppDomainManager – Payloads loaded via manipulated .NET AppDomain loading. ‘Hijack the execution flow of a program that used a relative path instead of an absolute path…’
  • [T1036.004] Masquerading: Masquerade Task or Service – masquerading as legitimate software to evade detection. ‘regularly masqueraded as legitimate software to remain undetected.’
  • [T1027] Obfuscated Files or Information – Obfuscated payloads and C2 channels to evade defenses. ‘encrypted, encoded, and obfuscated their executables and C2 channels.’
  • [T1222.002] Linux and Mac File and Directory Permissions Modification – Changing permissions to blend in. ‘File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification.’
  • [T1070.006] Indicator Removal: Timestomp – Timestamp manipulation to hide activity. ‘modified file timestamps to hide their operational activity.’
  • [T1134.001] Access Token Manipulation: Token Impersonation/Theft – Impersonating tokens to exploit sessions. ‘impersonated the tokens of current users to exploit valid sessions.’
  • [T1134.003] Access Token Manipulation: Make and Impersonate Token – Creating new tokens for login sessions. ‘made new tokens and logon sessions for accounts not registered with the IDM.’
  • [T1083] Discovery: File and Directory Discovery – Data-mined servers to locate sensitive data and credentials. ‘data mined numerous internal servers and discovered… plaintext usernames and passwords.’
  • [T1482] Domain Trust Discovery – Mapping trust relationships with partner domains. ‘inspected domain trust relationships through LDAP and identified connections to external organizations.’
  • [T1078.002] Valid Accounts: Domain Accounts – Using compromised domain accounts to access resources. ‘regularly used compromised valid domain accounts managed by Active Directory.’

Indicators of Compromise

  • [File] /opt/splunkforwarder/bin/splunkd – real payload path used for persistence and C2 on a Solaris/UNIX host
  • [File] /opt/splunkforwarder/splunkd – malicious copy/path used to blend with legitimate software
  • [File] .bash_history – plaintext password exposure found in a user’s command history
  • [File] /etc/shadow – hash-containing backup file with credentials for a privileged service account
  • [File] bloodhound.zip – used as an example artifact in YARA/detection context
  • [Vulnerability] CVE-2022-21587 – unpatched Oracle Web Applications Desktop Integrator vulnerability exploited for initial access

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a