Domain compromise in 72 hours
A mid-size wealth management firm engaged us to test whether their recent EDR rollout and MFA enforcement actually slowed an external attacker. Starting from a phished employee credential — provided by the client as a controlled seed — our team achieved domain administrator access within 72 hours through a chain involving Kerberoasting, misconfigured service accounts, and an unmonitored admin workstation.
The SOC generated three alerts during the engagement. Two were closed as false positives. One was escalated but not contained before objective completion. The debrief led to seven immediate control changes, including tiered admin access and new detection rules for unusual Kerberos ticket requests. Cluster A exposed the breach pathway; Cluster B validated that revised detections fired on a repeat attempt.