How to Lose Your Credentials and Gain a New Domain Admin

All right. Hello. My name is Chris her. I work as a pentester and social engineering tester. Uh today's presentation is entitled How to Lose Your Credentials and Gain a New Domain Admin. So, what we're going to talk about today is the problem of ransomware. We're going to look at how these groups operate. We're going to see where breached data lives. and we're going to do a walkthrough of how breach data was used in a pentest. So when we talk with uh cyber security executives, ransomware and fishing are always the top two concerns that they seem to have. And this makes sense because most attacks start with a social engineering component. And ransomware groups these days are highly organized

criminal enterprises. emphasis on highly. They operate with their own goals, their own rules. There are different players with different skill sets that perform specialized functions within those groups. And what this allows is for them to scale like any other legitimate business would. So a lot of times the way that these groups operate is they provide the framework or the platform to affiliates who perform most of the dirty work and upon successful collection of a ransom they pay a minimal kickback back to these ransomware groups. And these kickbacks are highly in favor of the affiliates. affiliates tend to keep 80 to 90% of the ransom collected and the ransomware group themselves gets 10 to 20%. Other ransomware groups operate on a

subscription model. But regardless of how they do it, they enable people with moral flexibility to have everything that they need to launch their own little burgeoning criminal enterprise. And they do this because it works. A study by Artic Wolf showed that 83% of ransomware victims end up paying some kind of ransom. So, if you've heard me give this presentation before, I have updated it with current statistics and some more current information. Um, the the first few times I gave this presentation, I said that ransomware groups operate only to chase the bag. They were only concerned about profit. But starting last year, that changed. Uh some of the goals of these groups sometimes are just to cause disruption or to destroy

critical infrastructure and interrupt supply chains. And we just had an example of that a couple weeks ago. The medical supply group Striker up in Michigan. Uh they had a cyber security incident where attackers broke in and wiped over 200,000 of of their devices. And it was also claimed that 50 terabytes of data was stolen. So, we're seeing more and more attacks like that as well. One interesting thing with cyber or with with ransomware groups is that they actually have very good customer service. Um, ironically enough, this is an example of a chat log from the ransom group Aira. So at the end of the test after they collected the ransom, they pointed out to the victim how the attack

was carried out and even gave recommendations to the victim to close up their network so it wouldn't happen again. It became the most expensive internal pen test of all time. So last year in 2025, these were the top industries that were attacked. Manufacturing was number one. Manufacturing might sound uh unusual, but think about the amount of intellectual property information that rolls through any kind of manufacturing organization, not to mention the amount of money that can go through. The dollar amounts are usually extremely large. Finance, this would include banks and credit unions. It's obvious why they would be targets. And then health care uh came in at number three. Health care because of what healthcare records sell for on the

dark web. And we'll talk about that a little more later. As far as the kinds of companies that are attacked, it tends to be small and mid-size companies that are 50 million or less in revenue. That's where twothirds of the attacks happen. And this would make sense because typically with a smaller mid-size company, they have much more limited experience in handling cyber security and they have fewer resources typically that are that are dedicated to this security as well. As far as where these attacks happen, United States still leads the way. Uh last year 49% of all attacks were right here on home soil. Now this was actually down from 51% in 2024. Now, in 2024, the most prolific

ransomware groups were Lockbit Bit and RansomHub. Those two groups alone accounted for 20% of all attacks. One in five attacks were by either of those groups. Chile, you can see down there, second from the bottom. But since we're in cyber security, we know that things change and can change very quickly. And in 2025, we did see significant changes. So during one of the first times that I presented this this presentation, um RansomHub and Lockbit were still in the lead. But in the first quarter of last year, RansomHub was shut down entirely and lockbit themselves were embarrassed. They were breached and their website was defaced. In the aftermath of all of that, Chile moved down or up from 3% of all attacks

all the way to the top one. So, Chile and Akira ended up being the most notorious ransomware groups of 2025. There's a few different reasons for this. Typically, if a group is shut down, the affiliates that are there will tend to move to the next big thing. Chile has proven themselves to be very good at what they do. a very dangerous organization and very generous to the affiliates that help carry out those attacks. One of the favorite tools of ransomware operators are info steelers and these are typically delivered through social engineering attacks. It could be through an email attachment or getting somebody to click on a link that they shouldn't which results in infecting their system.

What these info steelers do is they collect information especially from browsers. So you know how you have the autofill fields and browsers automatically fill in maybe your name, address, phone number, credit cards, usernames, passwords. An info stealer will take all of that information and ciphers. It can even collect valid session tokens which will allow an attacker to then go and compromise an account without even needing a username or password and can in some cases even bypass MFA prompts. So once this information is collected, it can then be used to launch further attacks. So on this slide, what we see on the left side, this is an example of data that was contained in an actual

info steeler log. You can see that it was collecting autofill information from two different browsers. It was collecting cookies, credit cards, and in this case, it was also collecting files off the system. It was collecting things that may have had things like passwords in there, as well as what processes were running on the system and other system information. On the right side, that is what the info steeler logs look like for collected usernames and passwords. It tells the exact URL, the exact username, and the exact password all in plain text. So, one thing that makes these kinds of attacks so dangerous too is that these days many employees work remote or they work from home. And what we're seeing is

a large number of non companymanaged devices that get infected. Then what happens is say somebody's kid downloads the wrong Roblox mod for example. It infects the system with an info stealer. The parent comes back around just wants to log in real quick to check some email and and get something done and now those credentials have been collected. And this is not a hypothetical. Uh you might remember the snowflake breach back in 2024. What the indicators in that attack were was that Jira creds were caught from an info stealer on a contractor's personal device. MFA was not enforced and in this case it was not enabled. And once those those credentials were collected, the infiltration continued from there.

Attackers were able to log in, move laterally through the network and compromise customer data and employee data of many of Snowflake's customers. And the fallout from this was huge. Uh, Snowflake was presented with class action lawsuits from companies like AT&T, uh, Hometown Favorite Lending Tree, Advanced Auto, Santander Bank, dozen others who all had information that was lost or compromised. Then, ironically, those same companies were then in turn sued by their customers for losing control of their of their data. It's a giant mess in the court systems and it's still being wound through the court systems today. Now, as far as where this data goes and is sold once it's collected, it's not always on the dark web. They're actually

clear websites that deal with this kind of sale of breach data. 77 store is an example of this. As you can see, they have different types of bank information for sale. They have social security numbers, people's PII for sale, anything you want. And our data sells for really cheap. A basic package of personally identifiable information which can include a name, an address, phone, and so sells for as little as five bucks. Throw a credit card account on top of that, maybe 20 to 100. Online banking credentials average maybe 50 bucks. And healthcare records average for $1,000 each. And there's a reason for that. You see, with the other stuff, you can always get a new credit

card number. You can get a new bank account number. Um, you can even get a new address if you move. What you can't change is your healthcare information. So once that information is out there, it's out there and there's no changing it. And think about all the information that you have to fill out when you go to any kind of health care provider. So then you can kind of start to see why records like that would sell for so much money. Blackb is another site that's on the clear web that sells that deals in the sale of breached data. Um, in this case, you can see we were looking at banks. And once you select banks, another

drop-own menu opens up. You can select which bank that you that has the information that you're looking for. Add it to your shopping cart and check out. It looks like any other polished e storefront, but just unfortunately they deal in terrible things. When it comes to the dark web, it's a little different. And I do have to say we do not recommend that anybody go there for any reason. It's just not worth it. It's not a good place and there's really nothing to see. But for dark websites, the way those work is there is no Google for those. You cannot just Google a list of dark web websites. So breach sense shows some examples of

what those URLs look like. They all end in their long gibberish in between. So there's almost no chance you will ever stumble upon a dark web website. Even if you do happen to find one, this is what they typically tend to look like. They look like they were made in 1996 and all they do is sell illegal items drugs roids firearms counterfeit items, malware, etc. And that's really all that's there. But if you want to keep an eye on um what ransom groups are ransomware groups are up to these days, a good resource for this is ransomlook.io. Now this is an open- source project that tracks the activity of different groups. And as you can see on the bottom left,

um the last time I updated this was just a few weeks ago. They were tracking 540 different groups. And this number has gone up every single time I've given this presentation. About a year ago when I gave the first one it was 300 and something. By the fall gone into the 400s and now what? End of first quarter of this year 2026 we're looking at over 500 different groups being tracked. From there you can go in and you can see specific groups and you can see their activity. I picked Chile because right now they are the hot one and they are the most active. And as you can see um especially last year how much their

activity has increased. You can also go through and see who the various victim companies were as well and see who they've hit. Now we spoke a little while ago too about specialized providers in the ransomware space and one of these are called initial access brokers and the clue is in the name. They literally just sell the initial access to a different to to different companies. Um, these are some screenshots showing it. Uh, down in the bottom left, uh, you can see they were selling RDP credentials to a USA company. It was a workg groupoup administrative account. Sells for $1,000. They always include a screenshot with proof of concept access as well. on the right side was uh RDP credentials

for USA domain joined uh system that was selling for $2,500. That's how little access sells for to these different corporate accounts. Now, IBM did a study and they found that attackers are inside of a network an average of 206 days before they launch an attack. That's seven months. You're probably thinking, "What in the world are they doing there for seven months?" Well, if you're familiar with how pentesting works, um, you've probably heard the the word enumeration until your ears bleed, right? Enumerate, enumerate enumerate enumerate enumeration. But that's actually the most important part of the pen test. See, the thing is, as professional testers, we're time bound. We only have so much time to look at what we have to

look at, but criminals don't have those time kinds of time constraints. So they're doing basically the same thing as a pentest. They're doing their recon. They are looking at what's there. They're establishing persistent access. They could be setting up new accounts, disabling other protections, even siphoning data out of the network slowly so that it blends in with normal network activity and doesn't look like one large dump. So on this slide, when Ransom Hub was in existence, they had a countdown on their homepage and they would show the list of their victims and how much time they had to pay the ransom before their data would be dumped. Now, even though Ransom Hub doesn't exist anymore, some of the

other more prolific groups uh have copied this practice from Ransom Hub today. So, this is a screenshot of a chat log with a ransomware group in a Catholic charity organization to kind of prove the point of what they're doing. In the top there, you can see they the the ransomware group knew the organization had been extorted in 2020 and that they paid the ransom. Then down towards the bottom, they knew the annual revenue of the organization and how much the salaries and benefits of the employees cost. Want to know what else they knew? They knew how much their cyber insurance policy was. So now they knew exactly what to ask for because negotiations become significantly easier when you

know what the other side has to spend. So let's take a look at and see how this dump to data could be used by an attacker. So this is where we're going to go through the pentest walkthrough. It will also show how a ransomware attack could unfold throughout an organization. So the first part of any test is we conduct OSENT research and we're trying to gather a list of possible usernames uh of of that particular client. You do this by scraping open source resources such as LinkedIn or Zoom info and you're trying to get as many names as you can. Once you have the list of names, you take a few of those and you try

different email address formats. First initial, last name, first name.ast name, etc. You take a couple of those and we try putting them through the Outlook the Office 365 login page. The reason that we do that is that login page is weak to username enumeration. So if you put in a valid username, you will be prompted for a password. If you put an invalid username in, it'll just error out. So from there, we can get the email address format of that particular company. Once we figure that out, we use a tool called MSOL spray. What that does takes our our list of usernames, puts it in the correct format, and sprays those usernames against the Office 365 login.

We combine that with a tool called Firerox, which will rotate the IP address of every one of those requests so it doesn't look like we're doing what we're doing from the from our system, which would get us blocked by Microsoft. Once that is run, then we have a list of valid usernames that we know work for the company. Then we take that list of valid usernames and we compare it against known data breach files and we're looking to see if they have had any credentials that have been compromised and are out there on the dark web. And in this particular case, we found one. We found one of the users Office 365 credentials out there on the

dark web. And of course, believe it or not, the password was password 1 2 3 4. So, we tried logging in with those credentials and they worked, but we ran into MFA. What people sometimes forget is that Microsoft has many different APIs that authentication can be performed against depending on the platform that you're on. So we use a tool called MFA sweep to take these valid credentials and try them against all of these Microsoft APIs because sometimes what we'll find is that not all the APIs are set up to require MFA. And that was the case here. If we took those valid credentials and authenticated against the graph API or the service management API, we could get

inside the system. So once we got onto the network, we got into Azure and we dumped the entire user name list. Now we had all the valid usernames for the company. We began a password spray attack. And of course, we started with the one that we knew worked. Password 1 2 3 4. And we found 36 more accounts inside that company that were using the same password. Now, this is an actual screenshot redacted from that test. What you will notice on some of these success messages is some of them have notes saying that MFA is in use. Some of them do not have that note. No note, no MFA. So, as you can see from the screenshot, we have a

handful more of accounts that we don't even need to use MFA, but are still valid credentials. So, now we can take these accounts and we we can explore things further. We started taking them and looking around the different areas of the network. One of the sets of credentials got us into their R&D SharePoint. Now, obviously here there would be very sensitive information. If we were attackers, this is where we would collect some of that intellectual property information. Another set of credentials popped up a remote desktop web instance. And we figured out at the top there, if we just typed in C colon forward slash, we got to the top of the network, not the top

of the drive of that system, the top of the network. And then we could start exploring all of those different folders down there, finding things that nobody should ever see. So, as we're going through those folders, eventually we found where they keep their backups. Now, this is another thing the criminals do while they're waiting patiently inside that network. they know that the backups will become infected too with their access. So even if the company tries to be slick and restore from a backup, the infection is likely still there and therefore the attackers will still have their access. Because see, when you're in the middle of triaging a ransomware attack, they typically will not have time to sit there and go

backwards and try to figure out when exactly this attack or this infection happened. Other times ransomware groups before launching their attack they will encrypt or delete these backups entirely. Another tool that we use is net exec and this is what we use to enumerate other things using the valid credentials that we had. In this case what we were looking for is readwrite permissions. So we hit the pot of gold in the SQL database. uh turned out one of the sets of credentials that we had had readr access to the to that SQL database because it turned out it was the administrative account for SQL. Want to know what else? It was a domain admin account and that was another big

no no. You never mix those two accounts together like that. So now with that we had the keys to the kingdom and I will remind you the password was password 1 2 3 4. So with that, we dumped the ntds. file as another trophy because that contains all of the hash passwords for the entire network. Took that offline and began cracking those. And we started this process completely over because as professional testers, we don't look for just one path through the network. We look for as many paths as testing time allows. So if you're following along, one thing you might have noticed was we didn't throw a single exploit. There were no zero days used. There was no AI used.

And what we find is the vast majority of our pentest are like this. It's a combo attack of weak passwords, misconfigurations, and overly permissive accounts, which we call the holy trinity of problems that lead to compromise. These are also things a vulnerability scan alone is never going to pick up. Vulnerability scans are good. They have their place, but you can be patched all day long, but if you have things like password 1 2 3 4 and missing MFA through your network, it's still being left open. So, the final point is about EDR systems. Many of our clients have invested a lot of money in EDR systems and rightly so. They're very good. They can help protect the network. But what

we find is that these systems still need to be tuned. They're not just out of the box protection. They are not silver bullets because see when we're doing a pen test, pen tests are not stealthy. We're not trying to be quiet. And so we start working with the clients to see how those systems are responding to the things that we're doing. What we find sometimes is that alerts either come in late or they're not autoblocking certain actions or high priority alerts are going to an unmonitored mailbox because Carl back here left for he left three months ago and nobody forward his email or sometimes these alerts don't truly convey the seriousness of of what's happening. Well, we want to include this

reporting to our clients so they can make sure that they're getting the value out of these systems that they're paying for. So these should always be tested like any other piece of infrastructure. If you are doing the pen testing, do your clients a solid involve them and test this with them as well. If you are the one signing off on getting a pen test, insist that your provider is testing this as well. These systems cost a lot of money and you want to make sure that you're getting what you pay for and that they are working as expected. So final takeaways, ransomware, fishing, info steelers, these are still the top concerns and those concerns are not

slowing down. Then when it comes to protection, the basics matter, user awareness matters. Have technical controls as backups for when people fail and people controls in place for when technology fails. And test those controls before the bad people do. I know that sounds self- serving coming from a ten from from a pen tester, but believe me, you do not want your final exam on this to be a live attack. So, that's what I've got for you today. Um, I'm on LinkedIn. I'm always happy to connect with other professionals and appreciate your time and attention today. Thank you.