CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
BFSI · Red Team
India · Enterprise · 2025

Domain Admin in 4h 12m, undetected — a goal-based red team against a tier-1 listed Indian bank

The CISO asked one question: 'Can someone reach Domain Admin without our SOC raising a single ticket?' Nine weeks later we showed how — phishing, EDR bypass, lateral movement and DA in 4 hours and 12 minutes, with the SOC's only ticket auto-closed as a false positive.

BFSIBankingRed TeamMumbaiActive DirectoryEDR BypassMITRE ATT&CK
Talk to a senior consultantSee the Red Team service
Engagement summary
Client
Listed Indian Bank
Sector
BFSI
Region
India
Engagement
Red Team
Year
2025
Duration
9 weeks
4h 12m
Time to Domain Admin
0
SOC tickets at compromise
23
Detections engineered
11m
TTD after remediation
The challenge

What the client was up against.

Mature SOC, mature controls — and quiet anxiety

The bank had moved off Splunk Cloud, deployed SentinelOne across 38,000 endpoints, and rebuilt its SOC playbooks twelve months prior. Tabletop scores were strong. But the CISO suspected — correctly — that table-tops don't surface the failure modes that real adversaries exploit.

Goal: prove or disprove DA-without-detection

Not a vulnerability list. Not a penetration test. A goal-based red team with a single binary outcome — Domain Admin without a confirmed SOC ticket — across a real banking estate, with realistic operational constraints (no DoS, no client data exfiltration, no fund movement).

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · Recon + initial-access tradecraft

  • Three weeks of OSINT: leaked credentials, GitHub leaks, employee LinkedIn footprint
  • Crafted spear-phish targeting six engineers in a non-customer-facing team
  • Built a custom payload tailored to the bank's known EDR (SentinelOne) and EDR exclusions
Phase 02

02 · Foothold + EDR evasion

  • Initial access via ISO-side-loading + signed binary proxy execution (LolBAS)
  • Beacon staged via reflective loader; AMSI + ETW patching in-memory
  • Validated 'EDR sees nothing' across two of three endpoint product versions in scope
Phase 03

03 · Internal recon + privilege escalation

  • BloodHound graph built via opsec-aware collection (no SharpHound default)
  • Identified Kerberoastable service account with weak password policy carve-out
  • Cracked offline; pivoted to a host with cached DA credentials
Phase 04

04 · Lateral movement to Domain Admin

  • Pass-the-Hash via WMI (no PsExec, no SMB exec)
  • Confirmed Domain Admin from a stepping-stone host at T+4h 12m
  • Took screenshots and BloodHound paths as evidence; stopped
Phase 05

05 · Detection-coverage debrief + purple-team workshop

  • Side-by-side timeline: every red-team action vs every SOC alert
  • Mapped gaps to MITRE ATT&CK and to specific SentinelOne ruleset choices
  • Delivered 23 prioritised detection improvements (14 in SIEM, 9 in EDR)
Findings

What we surfaced — severity, title, real-world impact.

Critical

Phishing payload undetected by SentinelOne

An EDR ruleset that excluded a third-party RPA folder allowed a signed-binary-proxy chain to run unflagged. The bank's only telemetry was a low-signal Defender heuristic that auto-closed.

Critical

Kerberoastable DA-tier service account

A service account in a tier-0 group used a 12-character password with a known dictionary base — cracked in 3 hours of offline GPU time.

High

BloodHound collection silent in detection stack

Custom LDAP enumeration produced zero alerts despite touching every domain controller — visibility gap mapped to a missing detection-engineering use-case.

High

Cached DA credentials on a stepping-stone host

Tier-1 admin accounts were re-using sessions on tier-2 hosts, breaking the bank's own privileged-access model.

Outcome

What changed for the client.

23 detection-engineering improvements shipped

Within one quarter the SOC engineered, deployed and tested 14 SIEM rules and 9 EDR custom detections. Time-to-detection on the same red-team chain dropped from 'never' to 11 minutes in a follow-up purple-team exercise.

Privileged-access model enforced

The bank rolled out tiered-admin separation (tier-0/1/2) across the AD estate, with credential-guard mandatory on tier-1 admin workstations. The cached-credential gap closed.

Board-level confidence — and a documented playbook

The CISO presented the engagement at the audit committee with a clear before/after picture. The bank now runs a full red-team annually plus quarterly purple-team exercises with Macksofy.

We thought we were ready. Macksofy showed us, in our own logs, exactly where the silence was. Six months later the same playbook gets caught in eleven minutes. That's the value.
Chief Information Security Officer · Listed Indian Bank
Related case studies

More work in the same space.

All case studies
BFSIInternal Network

NoPac chained with Kerberoasting reached Domain Admin in 4 hours inside a BFSI MNC's internal AD

BFSI Multinational (Mumbai BKC) · 2025
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.