Contact Us
Meet Eve

BlogCompliance news

Assumed Breach Simulation: Lateral Movement Explained

By Fabian Crespo, OSEP, OSCP, CRTO
Principal Consulting, Technical Testing

In our Clearwater Monthly Cyber Briefings, we often emphasize that today’s cyberattacks don’t always begin with a high-profile perimeter breach. More often, they start quietly—with a single compromised workstation. Compromise can happen through social engineering attacks or weak access management, and once inside, an attacker’s true advantage comes from their ability to move laterally across your network, escalating privileges and accessing sensitive systems before anyone notices.

To help clients understand their exposure to these attack vectors, my colleagues and I on Clearwater’s Technical Testing team conduct assumed breach simulations—cybersecurity assessments that evaluate an organization’s ability to detect, respond to, and recover from an internal compromise.

In this assumed breach simulation, we explore how a malicious actor could infiltrate a hospital’s internal network by compromising a doctor’s machine, highlighting the critical technical missteps that enable lateral movement and put sensitive data—and even patient care—at risk.

What we will show is that a lack of security maturity and strong cyber risk management practices across the hospital environment can lead to the missed signals that allow threat actors to infiltrate, dwell undetected, and take deliberate steps to move laterally with malice in mind.

Phase 1: Initial Compromise

The simulation begins with a doctor opening a phishing email. The convincing email contained a patient case file with an attached macro-enabled Word document. The doctor, or any care provider, are only human and at times time-constrained, concerned about patient care, and mistakes like these do happen. Upon execution, the malicious actor now gained initial access to the doctor’s workstation since the system’s Antivirus and Endpoint Detection & Response (EDR) applications did not detect the malicious payload. It’s not necessarily that these tools wouldn’t have detected this situation, but many times we’ve seen their configuration, management, and monitoring needs continuous adjustment as the threat actor tactics and malware grow more sophisticated. In the podcast The Truth about EDR Killers, my colleague Justin Sun, Director of Clearwater’s Security Operations Center, dives into the reasons and situations where this can occur.

Preventative Actions:

  • Review endpoint security is implemented and configured at the level needed to detect and secure systems.
  • Consider additional execution controls, such as AppLocker or ASR rules, security features that help prevent common attack vectors by controlling how and when potentially malicious code can run on a device.
  • Continue to invest in training against social engineering, with the emphasis on a culture of reporting. When there is a non-punitive environment, employees can feel comfortable reporting and learning from their mistakes.

Phase 2: Internal Enumeration & Credential Harvesting

Once inside, simulating a malicious actor reconnaissance begins against the hospital’s internal network and compromised workstation. The actor leverages an insecure PowerShell Language Mode, FullLanguage, to bypass EDR and other local security controls. PowerShell is commonly used for system administration and remote management. As a result, the attacker was able to execute in-memory malware that is harder to detect, quick to establish persistence and capable of easily identifying vulnerabilities.

Then the malicious actor identifies an Unattend.xml file containing local administrator credentials, allowing for local privilege escalation. With local administrator access, the attacker extracted sensitive credentials stored in LSASS and impersonated the svc_certificate domain account.  LSASS is a Windows process that manages local security policy and user authentication. The “svc certificate domain account” refers to a user account in Active Directory that is used by the Certificate Enrollment Web Service (CES) to interact with the Certification Authority (CA). This account allows the CES to automatically request and renew certificates for various users and computers without manual intervention.  This account was utilized internally by the hospital to interact with Active Directory Certificate Services (ADCS), culminating in a series of unfortunate access events for the hospital.

Preventative Actions:

  • PowerShell Language Mode, FullLanguage was not altered on the system to have constrained permissions. Unfortunately, “FullLanguage” mode is the standard setting for default PowerShell sessions on all Windows versions,
  • Exposed local administrator credentials in Unattended.XML file being used to allow remote system management. Use Windows System Image Manager (SIM)to hide passwords for local accounts and other sensitive data within the Unattend.xml file. This prevents users from directly reading the credentials in the file.
  • Implement protection mechanisms for the LSASS process. Enable auditing and monitor logs for suspicious activities, such as failed login attempts or attempts to access LSASS memory.

 Phase 3: Privilege Escalation via Misconfigured Certificate Template

With control of the svc_certificate service account, the attacker enumerates the Active Directory Certificate Services (ADCS) environment and identifies a vulnerable certificate template that permits low-privileged users to request certificates with arbitrary Subject Alternative Names (SANs). SANs allow a single certificate to cover multiple domain names, subdomains, IP addresses, or email addresses, providing flexibility in secure communication.

The attacker abuses this misconfiguration requesting an authentication certificate on behalf of a high-privileged user by specifying Administrator@hospital.local as the SAN. This certificate is then used to impersonate a Domain Administrator using common hacker tools such as Rubeus or Certify. Rubeus is a post-exploitation tool designed for Kerberos ticket manipulation in Active Directory environments. Certify is a tool that targets Active Directory Certificate Services (ADCS). It allows attackers to request certificates using manipulated permissions.

In the end, the attacker now holds domain admin-level access without ever needing to crack a password or directly compromise the admin account.

Preventative Actions:

  • Use Role-Based Access Control (RBAC) to limit who can manage, modify, or request certificates.
  • ImplementADCS hardening and stronger certificate issuance controls.
  • Review logs for unauthorized certificate requests or SAN manipulations.

Phase 4: Accessing Sensitive Data via Internal SMB Share

Now operating with full domain admin privileges, the attacker begins enumerating file servers and shares across the network. They discover an exposed SMB share. An SMB (Server Message Block) share is a network file-sharing protocol used primarily in Windows environments, allowing devices on a network to share files, folders, printers, and other resources. This one resides on a server named records-srv01ehr_exports, accessible to all authenticated domain users. This share contains periodic .csv exports of patient electronic health records (ePHI), including treatment history, medications, and billing information.

The attacker silently exfiltrates thousands of sensitive patient records without detection because this data is unencrypted at rest and not monitored by a Data Loss Prevention (DLP) system.

Preventative Actions:

  • Restricting permissions on shares containing ePHI (authenticated users group).Inventory of all ePHI locations across the environment, and monitoring of exports from ePHI systems, ensuring proper use authorization and enforcing data encryption.

This simulation demonstrates how a seemingly isolated compromise — a doctor’s workstation infected through phishing — can cascade into full domain control and unauthorized access to highly sensitive patient data.

At each phase, the attacker leveraged a common yet avoidable misconfiguration:

  • Lack of execution controls enabled malware delivery.
  • Poor credential hygiene and exposed secrets enabled lateral movement.
  • Insecure PowerShell configurations and unprotected LSASS allowed credential theft.
  • Misconfigured ADCS certificate templates allowed domain privilege escalation.
  • Over-permissive file shares and lack of encryption led to ePHI exposure.

Of note, this attack required no zero-day malware. It was entirely dependent on misconfigurations, poor segmentation, and excessive trust within the internal network.

Many of these issues can be proactively addressed with:

  • Internal network penetration testing
  • Continuous endpoint security monitoring
  • Log management and monitoring of ADCS changes
  • Updated policy and control management for endpoint system management

If you need assistance with any of these functions, Clearwater provides Technical Testing, Security Engineering, and ongoing Managed Security Services with 24/7 Threat Detection.

Contact us if you want to meet and discuss your options.

 

 

 

 

 

 

The post Assumed Breach Simulation: Lateral Movement Explained appeared first on Clearwater.

Picture of John Doe
John Doe

Sociosqu conubia dis malesuada volutpat feugiat urna tortor vehicula adipiscing cubilia. Pede montes cras porttitor habitasse mollis nostra malesuada volutpat letius.

Related Article

Leave a Reply

Your email address will not be published. Required fields are marked *

Useful Links

Home

About Us

Contact Us

Privacy Policy

Our Services

Healthcare Services

Business Services

Resources

Empowering businesses and healthcare organizations with AI-driven compliance, cybersecurity, and regulatory solutions.

Newsletter


Copyright © . All rights reserved.

We would love to hear from you!

Please record your message.

Record, Listen, Send

Allow access to your microphone

Click "Allow" in the permission dialog. It usually appears under the address bar in the upper left side of the window. We respect your privacy.

Microphone access error

It seems your microphone is disabled in the browser settings. Please go to your browser settings and enable access to your microphone.

Speak now

00:00

Canvas not available.

Reset recording

Are you sure you want to start a new recording? Your current recording will be deleted.

Oops, something went wrong

Error occurred during uploading your audio. Please click the Retry button to try again.

Send your recording

Thank you

Meet Eve: Your AI Training Assistant

Welcome to Enlightening Methodology! We are excited to introduce Eve, our innovative AI-powered assistant designed specifically for our organization. Eve represents a glimpse into the future of artificial intelligence, continuously learning and growing to enhance the user experience across both healthcare and business sectors.

In Healthcare

In the healthcare category, Eve serves as a valuable resource for our clients. She is capable of answering questions about our business and providing "Day in the Life" training scenario examples that illustrate real-world applications of the training methodologies we employ. Eve offers insights into our unique compliance tool, detailing its capabilities and how it enhances operational efficiency while ensuring adherence to all regulatory statues and full HIPAA compliance. Furthermore, Eve can provide clients with compelling reasons why Enlightening Methodology should be their company of choice for Electronic Health Record (EHR) implementations and AI support. While Eve is purposefully designed for our in-house needs and is just a small example of what AI can offer, her continuous growth highlights the vast potential of AI in transforming healthcare practices.

Learn More

In Business

In the business section, Eve showcases our extensive offerings, including our cutting-edge compliance tool. She provides examples of its functionality, helping organizations understand how it can streamline compliance processes and improve overall efficiency. Eve also explores our cybersecurity solutions powered by AI, demonstrating how these technologies can protect organizations from potential threats while ensuring data integrity and security. While Eve is tailored for internal purposes, she represents only a fraction of the incredible capabilities that AI can provide. With Eve, you gain access to an intelligent assistant that enhances training, compliance, and operational capabilities, making the journey towards AI implementation more accessible. At Enlightening Methodology, we are committed to innovation and continuous improvement. Join us on this exciting journey as we leverage Eve's abilities to drive progress in both healthcare and business, paving the way for a smarter and more efficient future. With Eve by your side, you're not just engaging with AI; you're witnessing the growth potential of technology that is reshaping training, compliance and our world! Welcome to Enlightening Methodology, where innovation meets opportunity!

Learn More