Payload & Delivery Penetration Testing

Payload & Delivery Penetration Testing

Secure Network’s Payload and Delivery testing will assess customer host based and perimeter-based security solutions as well as application control configurations and relevant GPOs. SNT applies a consistent and reproduceable approach that combines comprehensive identification and validation of risk-based vulnerabilities. This methodology ensures that both new and common threat actor Techniques, Tactics, and Procedures (TTPs) are applied to each test, identifying real world attack paths that could be exploited within mature organizations.

Planning Phase

During the Planning phase, SNT will collaborate with customer Point of Contacts (PoC) to discuss Scope, Rules of Engagement, and to outline what to expect during the payload and delivery testing. Senior cyber security engineers will be involved with PoC planning meetings to detail engagement information and to answer any questions or concerns.

Reconnaissance Phase

The Reconnaissance phase will be the beginning of the payload and delivery testing. This phase consists of gathering information about the host target within scope. SNT will attempt to discover what host-based AV/EDR is in place and research potential bypass techniques. SNT will discover what perimeter defense or inspection is in-place and browse to common LOTS pages to determine which vectors may be available.

Exploitation Phase

The Exploitation phase will test host-based and perimeter-based security solutions. Security engineers will create up to 15 payloads to test against the customer host. These payloads will include open source and custom payloads that will be executed on one (1) Windows based workstation or server. This test will determine the host based security solutions ability to identify malicious applications that are executed within a user context. Payload testing will also assess the different vectors that are typically used for payload execution (i.e. Macro enabled office documents, hta, lnk, exe, etc). This testing will assess application control configurations or GPOs used to prevent execution of certain file types.

Delivery testing will assess access controls to different trusted sites (Living Off Trusted Sites) that are commonly used for payload delivery such as dropbox, OneDrive, gdrive etc. Security engineers will attempt to bypass any controls in place in an attempt to discover potential blind spots within the customers security baseline as related to user access to commonly used delivery vectors.

Reporting Phase

The Reporting phase will occur after the conclusion of testing. Any attack paths or vulnerabilities that have been discovered and exploited will be disclosed. Details of payload types and each accessible site that was accessed will be reported so that the customer can get an understanding of potential weaknesses within their security baseline. Mitigation techniques are included in details of findings, where applicable, to provide guidance and a starting point to reduce the overall risk to the customer environment.

Deliverables

SNT will deliver the final penetration testing report to the customer along with a matrix of payload hashes, sites accessed, and execution results.