If you’re responsible for security, there’s a simple reality you have to live with. Prevention matters, but it’s never perfect. Laptops get lost. Credentials get exposed. Sooner or later, someone gets a foothold.
This purple team engagement, delivered by OmniCyber, focused on what happens next.
How We Approached It:
The engagement was run as a collaborative purple team exercise, with OmniCyber working closely alongside internal IT and security teams.
We used an assumed-breach approach. The starting point was deliberately realistic: we already had access to a corporate endpoint, for example through the loss or theft of a user’s laptop.
Rather than spending time recreating how that access was achieved, the focus was on what followed. Specifically, how post-compromise activity unfolded across the attack lifecycle, and how effectively that activity was detected, investigated, and responded to.
Modelling Realistic Attacker Behaviour:
Our activity was designed to reflect how modern, targeted intrusions actually play out.
We deliberately avoided public exploits and commodity malware. Instead, we relied on:
- Bespoke tooling
- Living-off-the-land binaries
- Native Windows functionality
The goal was to stay quiet, blend in with normal system behaviour, and avoid actions that typically trigger signature-based alerts.
Privilege Escalation:
Early in the engagement, we escalated privileges by abusing insecure DLL loading in a privileged application or service.
A malicious DLL was placed in a location the application searched first. When the application started, our code executed with elevated privileges.
No vulnerability was exploited and no exploit code was required.
From a defensive perspective, this activity went completely unnoticed. There were no alerts, and no SOC investigation followed the change in integrity level.
Credential Access:
With elevated privileges, we were able to bypass Protected Process Light protections on LSASS.
This enabled the extraction of credentials from system memory, including privileged accounts.
Once these credentials were obtained, lateral movement across the environment became straightforward and no further exploitation was needed.
No meaningful SOC alerts or investigative actions were observed in response to this activity.
Lateral Movement
Using the recovered credentials, we moved laterally through the environment using legitimate access methods.
Additional systems and services were accessed through normal authentication processes with valid accounts.
This activity did not trigger SOC alerts or investigation. Visibility into privileged credential reuse and post-compromise access patterns was limited, allowing access to continue expanding without interruption.
Persistence Via Office Applications:
User-level persistence was established using native Microsoft Excel functionality.
Each time a user opened Excel, our code executed automatically, generating outbound call-backs without any extra user interaction.
From the user’s point of view, everything appeared normal. Excel behaved exactly as expected.
This persistence method proved to be reliable and low noise, yet no SOC alerts or investigative actions were observed in response to the Excel-triggered execution or associated network activity.
Privilege Consolidation:
As access continued to expand, further credential access and validation enabled increased control over domain infrastructure, including access to additional domain controllers.
This demonstrated how privileges could be consolidated over time without disruptive or destructive behaviour.
A full domain takeover or ransomware deployment was not required for this to become a high-impact intrusion scenario.
What This Engagement Demonstrated:
Across the attack lifecycle, no meaningful SOC alerts or investigative actions were observed for:
- Privilege escalation and integrity level changes
- LSASS access and credential recovery
- Lateral movement using legitimate credentials
- Office-based persistence techniques
- Repeated outbound command-and-control activity
This engagement showed that serious organisational risk can exist without obvious or dramatic behaviour.
Persistent access, credential harvesting, and gradual privilege consolidation alone were enough to represent a significant intrusion.
Value For Defensive Teams:
Throughout the engagement, detailed, time-aligned activity timelines were maintained.
These were supported by:
- Endpoint telemetry
- Network traffic analysis
- HTTPS traffic profiling
This allowed SOC teams to replay our actions against their own logs and detections, making it easier to identify specific gaps in monitoring, correlation, and response.
Take Your Security Testing Further With OmniCyber:
If you want to test your systems, processes, and resilience the way real attacks actually happen, this is what that looks like. We go beyond standard testing by focusing on realistic attacker behaviour and what happens after a foothold is gained.
This gives you a clear, practical view of how well your organisation can detect, respond to, and contain real threats. To find out more, speak to our experts.
