Project Puchufy

Domain Assessment Methodology

Purpose

The purpose of this methodology is to provide a structured approach for assessing the security of an organization’s domain environment. This includes servers, workstations, applications, databases, and other critical infrastructure components.

The assessment simulates how a real-world attacker would operate, following the stages of the MITRE ATT&CK Framework. This process helps uncover weaknesses, validate defenses, and provide actionable improvements to reduce risk.

Specific Goals

  • Identify domain controller vulnerabilities and misconfigurations.
  • Assess the effectiveness of current defenses and monitoring.
  • Demonstrate realistic attack paths without causing harm.
  • Provide clear remediation steps to strengthen security.

Scope and Limitations

Scope

The scope defines what systems, networks, and assets are to be tested during the assessment. The requestor sets the exact scope before the engagement begins. Only assets explicitly listed in the agreed-upon scope will be tested.

Common in-scope components may include:

  • Windows Domain Controllers
  • Web Servers (internal and external-facing)
  • Linux Servers and services
  • Workstations and laptops
  • Databases (e.g., SQL, Oracle, MongoDB)
  • Network Devices (if specified)

Limitations

To ensure safety and business continuity, certain activities are strictly prohibited during the assessment:

  • Running real malware in production environments – Only safe, controlled simulations are allowed.
  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) testing – No tests that disrupt availability or operations.
  • Destructive actions – No data deletion, corruption, or intentional downtime.
  • Testing outside of approved scope – No access or interaction with systems that were not explicitly authorized.

Note:
If ever it is required to simulate malware, ransomware, or destructive attacks, it will be done using safe test payloads in either controlled environments or through demonstration only.

Rules of Engagement

  • Scope Agreement – Define exact systems and networks to test before starting.
  • Testing Schedule – Conduct tests during approved time windows to reduce business impact.
  • Communication Plan – Identify escalation contacts and response procedures.
  • Legal Approvals – Obtain written authorization from appropriate stakeholders.
  • Safety Measures – Follow strict change management process to avoid production disruption.

Assessment Approach

The methodology follows the MITRE ATT&CK stages, simulating each phase of an attacker’s lifecycle. It applies to multiple system types, including:

  • Web Servers
  • Linux Servers
  • Windows Servers & Domain Controllers
  • Workstations and Laptops
  • Databases

This structured approach ensures comprehensive coverage of both technical weaknesses and defensive gaps.

Stages of the Assessment

Reconnaissance

Objective: Gather external information about the target environment.

Activities:
  • Identify domains, subdomains, and public IP addresses.
  • Collect employee names and roles through open sources.
  • Map exposed services and technologies.
Tools:
Outputs:
  • List of externally visible assets
  • Potential entry points

***

Resource Development

Objective: Prepare safe infrastructure for controlled testing.

Activities:
  • Set up test phishing platforms and controlled domains.
  • Build safe payloads for simulation purposes.
Tools:
  • Gophish
  • Cobalt Strike (test mode)

***

Initial Access

Objective: Simulate the first steps an attacker might take to enter the environment.

Techniques:
  • Phishing simulation for workstations.
  • Web application attacks (SQL injection, directory traversal).
  • Exploitation of public vulnerabilities.
Examples by System:
  • Web Servers: Check for outdated CMS or misconfigurations.
  • Linux Servers: Test for weak SSH keys or services.
  • Workstations: Simulated phishing links or malicious documents.
Tools:
  • Burp Suite
  • Metasploit
  • Gophish
  • SQLMap
  • Powershell Active Directory Module
  • BloodHound

***

Execution

Objective: Demonstrate safe payload execution after initial access.

Examples:

  • PowerShell scripts on Windows servers.
  • Bash scripts on Linux systems.
  • SQL commands to test database security.
  • Powershell Active Directory Module
Tools:
  • PowerShell Empire
  • Python scripts
  • custom scripts

***

Persistence

Objective: Test methods attackers use to maintain long-term access.

Examples by System:

  • Web Servers: Hidden web shells.
  • Linux Servers: Cron jobs or SSH key persistence.
  • Windows Servers: Scheduled tasks or registry changes.
  • Powershell Active Directory Module
  • RSAT (Remote Server Administration Tool in Windows)

***

Privilege Escalation

Objective: Determine if attackers can gain higher privileges.

Techniques:
  • Exploiting misconfigured permissions.
  • Kerberoasting for service accounts.
  • Exploiting outdated software.
Tools:
  • Mimikatz
  • Rubeus
  • PowerView
  • WinPeas
  • Powershell Active Directory Module
  • RSAT (Remote Server Administration Tool in Windows)

***

Defense Evasion

Objective: Assess the ability to avoid detection by security tools.

Examples:

  • Hiding scripts or payloads.
  • Clearing or tampering with logs (safe simulations only).
Tools:
  • Caldera
  • manual safe evasion commands

***

Credential Access

Objective: Test how credentials might be stolen.

Examples by System:

  • Windows: Extracting hashes with Mimikatz.
  • Linux: Checking /etc/shadow for weak passwords.
  • Databases: Testing for default or weak credentials.

***

Discovery

Objective: Map internal systems, domains, and trust relationships.

Tools:
  • BloodHound for Active Directory.
  • Nmap and Netdiscover for network scanning
  • Powershell Active Directory Module
  • RSAT (Remote Server Administration Tool in Windows)

***

Lateral Movement

Objective: Simulate how attackers move between systems.

Techniques:
  • Pass-the-Hash or Pass-the-Ticket.
  • Remote desktop pivoting (RDP).
  • SSH pivoting between Linux hosts.
Tools:
  • CrackMapExec
  • Impacket

***

Collection

Objective: Identify sensitive data that attackers may target.

Examples:

  • PII and financial records in databases.
  • Source code or backups on servers.
  • Sensitive documents on workstations.
  • Powershell Active Directory Module
  • RSAT (Remote Server Administration Tool in Windows)

***

Command and Control (C2)

Objective: Test simulated remote control and outbound communication.

Tools:
  • Havoc
  • Cobalt Strike
  • Sliver
  • Cloud Infra for C2 like AWS, Azure

***

Exfiltration

Objective: Simulate data leaving the organization without using real data.

Techniques:
  • Sending dummy data to a controlled external server.
  • Simulating slow, hidden data leaks.

***

Impact

Objective: Show potential effects of an attack safely and without harm.

Examples:

  • Simulated ransomware proof of concept.
  • Demonstrating how service availability could be disrupted.

Reporting and Recommendations

Deliverables:

  • Executive Summary – High-level overview for leadership.
  • Technical Findings – Detailed vulnerabilities with evidence.
  • Risk Ratings – Categorized as Critical, High, Medium, or Low.
  • Remediation Plan – Step-by-step actions to fix issues.
  • Defensive Strategy – Monitoring improvements, detection rules, and user training suggestions.

Conclusion

This methodology provides a safe, structured way to simulate real-world attacks on domain environments. By defining a clear scope, enforcing strict limitations, and following the MITRE ATT&CK framework, organizations can identify and address weaknesses across servers, databases, workstations, and network components, all without disrupting business operations.