Sample Assessment Report
Redacted for confidentiality
Breach & Attack Simulation
Continuous Security Control Validation
Confidential Client — Financial Institution
EDR (CrowdStrike Falcon), SIEM (Splunk Enterprise Security), email gateway (Proofpoint), network detection (Darktrace), 500-endpoint Windows environment
5 business days
MITRE ATT&CK Enterprise v14
Executive Summary
UnlockSec executed 47 adversary simulation scenarios across the MITRE ATT&CK framework to validate the effectiveness of the client's security controls. 31% of test scenarios generated no alert in either the EDR or SIEM. Critical gaps include complete absence of lateral movement detection, no alerting on LSASS credential dumping, and Cobalt Strike C2 beacon traffic passing through the network perimeter undetected.
Methodology
Sample Findings
LSASS Credential Dumping — Zero Detection
Description
Mimikatz sekurlsa::logonpasswords executed against 5 test endpoints produced no EDR alert and no SIEM event. CrowdStrike Falcon is deployed but the 'Credential Theft' prevention policy is set to 'Detect Only' rather than 'Prevent'. Credentials of 3 domain admin accounts were successfully harvested.
Recommendation
Set CrowdStrike credential theft prevention policy to 'Prevent'. Enable Protected Process Light (PPL) for LSASS. Deploy Credential Guard on all Windows 10/11 and Server 2016+ systems. Create a SIEM alert on EventID 10 (process access to lsass.exe).
Cobalt Strike C2 — HTTPS Beacon Undetected
Description
A Cobalt Strike beacon configured with HTTPS malleable C2 profile (mimicking Microsoft Teams traffic) maintained persistent C2 communication for 72 hours without triggering any network detection (Darktrace) or proxy alert. The beacon used domain fronting via a legitimate CDN provider.
Recommendation
Update Darktrace models with Cobalt Strike-specific behavioral indicators. Implement JA3/JA3S fingerprinting on TLS traffic. Block known domain-fronting CDN paths via proxy policy. Enable HTTPS inspection for high-risk traffic categories.
Lateral Movement — Pass-the-Hash Undetected
Description
Pass-the-Hash attacks using harvested NTLM hashes for lateral movement across 12 workstations generated no alerts in either the EDR or SIEM. Windows Event ID 4624 (Logon Type 3) is logged but no correlation rule exists to flag repeated network logons from a single source within a short timeframe.
Recommendation
Create SIEM correlation rule: >3 Event ID 4624 Type 3 logons from a single source within 5 minutes = alert. Enable Credential Guard to prevent NTLM hash theft. Implement Microsoft LAPS for local administrator password uniqueness.
Email Gateway — Malicious Macro Documents Delivered
Description
15 of 20 phishing simulation emails containing malicious Office macro documents were delivered to test mailboxes, bypassing Proofpoint's sandbox analysis. Macros executing WMI for process spawning and PowerShell with base64-encoded payloads were not detected.
Recommendation
Tune Proofpoint sandbox policies to enable macro-based document detonation. Configure Office 365 to block macro execution in files from the internet. Deploy application control policies to block LOLBins (wscript, cscript, mshta) for standard users.
* Showing 4 of 35 total findings. Full report provided upon engagement.
Risk Summary
Deliverables Included
- MITRE ATT&CK heatmap showing detection coverage
- Per-technique test result (detected / alerted / blocked / missed)
- SIEM rule recommendations (Splunk SPL provided)
- EDR policy optimisation recommendations
- Quarterly re-simulation schedule proposal
Ready for a real assessment?
Get a tailored Breach & Attack Simulation engagement led by certified operators with unlimited retests.
Request AssessmentView All Services