Consulereit

Financial services · ~1,500 staff · 6 weeks

Assumed-breach red team against a Dutch financial services firm

Six-week adversary emulation starting from a single compromised workstation. Reached domain dominance and demonstrated access to a production payment system, then worked with the client's blue team on the detection gaps that let it happen.

Context

The client ran a mature Microsoft estate with a functioning internal SOC, EDR on every endpoint, and a recent Tiber-EU-style engagement behind them. They wanted something more pointed than another annual pentest: an honest assessment of how far a motivated actor could get if they were already inside, and where detection would catch them.

Scope was built around a realistic initial-access foothold, one standard corporate workstation, one regular employee account, no prior knowledge of internal topology, with a goal of reaching a defined “impactful” state agreed in advance with the board.

Approach

The engagement ran in three stages, with deliberate pause points for the blue team to observe and, where useful, respond.

  1. Internal reconnaissance and credential access, BloodHound collection via a collector deliberately built to sit below EDR signatures, low-and-slow Kerberoast of weak service accounts, and abuse of an unsigned internal tool to land on a secondary host.
  2. Privilege escalation, a misconfigured Group Policy Preference file on a file share (“finance-legacy”) yielded a cached local-admin password that still worked on 40% of workstations. From there, a compromised workstation account with unconstrained delegation rights enabled a path to a Tier-0 asset.
  3. Impact and detection test, demonstrated access (read-only) to a staging payment system and a production domain controller. At each post-exploitation action, we recorded which telemetry fired, which alerts were generated, and which of those actually made it to a human.

Outcome

Domain dominance in 19 days; access to a production-adjacent financial system in 24. Of twelve post-exploitation actions likely to be caught, three generated alerts, one of which was acknowledged within two hours, the rest were lost in noise or never left the SIEM.

The report went to the CISO, not to compliance. It paired each finding with a concrete detection rule (Sigma / KQL) the blue team could deploy immediately. Three months on, a follow-up tabletop exercise showed the median time-to-detect for the same class of activity had dropped from “never” to under four hours.

Thinking about an engagement?

Every project starts with a short call, free, no commitment. I'll tell you whether I'm the right fit, and if not, I'll usually know someone who is.

Get in touch See services