Lares released new research highlighting the five most common penetration testing findings encountered by the firm's consultants over hundreds of client engagements in 2022.

Lares typically finds numerous vulnerabilities and attack vectors when conducting penetration tests or red team engagements for clients, regardless of the organization's size or maturity. However, the research team at Lares was surprised by how many times the same five findings kept turning up during their penetration tests and red team engagements in early 2022.

"As we wrapped up 2022, our surprise gave way to expectation, and we found ourselves genuinely surprised if one, or all, of the top five issues were not found on any given engagement," said Andrew Hay, Chief Operating Officer of Lares. "Every single vulnerability described in our latest research paper can be avoided or eliminated through better cybersecurity hygiene practices."

The Lares research team emphasized that these Top 5 findings were not the most severe threats for clients, but rather, the ones they most frequently encountered during engagements over the past year. Key takeaways describing each category include:

Brute Forcing Accounts with Weak and Guessable Passwords: Organizations that have not implemented multifactor authentication (MFA) should be aware that adversaries may target accounts where users have selected weak or guessable passwords to gain access to systems, services, and network resources. If authentication failures are high, there may be a brute-force attempt to gain access to a system using legitimate credentials.

Kerberroasting: Kerberos Service Principal Names (SPNs) uniquely identify each instance of a Windows service configured to accept Kerberos Tickets for authentication. Adversaries possessing a valid Kerberos Ticket-Granting Ticket (TGT) may request one or more Kerberos Ticket-Granting Server (TGS) Service Tickets for any service with an SPN configured from a Key Distribution Server - typically the Domain Controller (DC) in Windows Active Directory. This Service Ticket is then brute-forced offline to recover the plain-text credentials of the account.

Excessive File System Permissions: Improperly set permissions on the binary or directory in which it resides may allow attackers to replace the legitimate binary with a file of their choosing. Adversaries may use this technique to replace legitimate pre-existing binaries or dynamic-link libraries (DLLs) with malicious ones to execute subversive or potentially disruptive code with a much higher permission level than their current user permissions.

WannaCry/EternalBlue: Remote code execution vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server that handles certain requests. An attacker who successfully exploits the vulnerabilities could gain the ability to execute code on the target server. The EternalBlue and EternalRomance exploits were leaked by "The Shadow Brokers" group in 2017. The EternalBlue exploit was also leveraged by WannaCry ransomware to compromise Windows machines, load malware, and propagate to other machines in a network.

WMI (Windows Management Instrumentation) Lateral Movement: Lateral movement is a critical phase in any attack targeting more than a single computer. It is not a vulnerability, but a technique employed by attackers to interact with or gain access to a system other than the current system upon which they are operating. The WMI allows for a structured approach to communicating with a remote computer and exposes system monitoring and configuration capabilities to a remote machine. An adversary can use this native functionality to execute malicious code, modify system settings such as adding a user or password or disabling security tools before performing other activities.

The Lares Top 5 Penetration Test Findings in 2022 research paper is available for download here: https://www.lares.com/lares-top-5-penetration-test-findings-report/.