Positive Technologies pentests find hackers are difficult to distinguish from legitimate users

Positive Technologies experts have conducted internal penetration testing¹, simulating attacks from a malefactor located inside the company. Their analysis, which is summarized in the report Penetration Testing of Corporate Information Systems shows that almost half of all actions by attackers are identical to the usual activities of the users and admins, and that in most companies even a low-skilled hacker can obtain control of the infrastructure.

In 2019, our testers, acting as internal attackers, managed to obtain full control of infrastructure at all tested companies², usually within three days. One of the networks took just 10 minutes. At 61 percent of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker.

The experts noted that legitimate actions that would be unrecognizable from regular user activity accounted for 47 percent of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems.

The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates. For example, according to Positive Technologies pentesters, in 30 percent of companies they can still find Windows vulnerabilities described in the 2017 Security Bulletin MS17-010, and sometimes even MS08-067 (dated October 2008). 

"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers. For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe," comments Dmitry Serebryannikov, Director of Security Audit Department, Positive Technologies. "In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group. Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorized access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."

"In an internal pentest, the specialists can demonstrate the feasibility of actuating business risks or obtaining access to business systems," explains Ekaterina Kilyusheva, Head of Information Security Analytics Research Group of Positive Technologies. "Risks vary by company, but some of them are common to many, such as compromise of critical information in case of access to executive workstations. For instance, during internal pentests our specialists could access technological networks of industrial companies and ATM control systems in banks, thus demonstrating the real threat an attack poses to the company. By empirically assessing anticipated business risks, penetration testing enables building an efficient, effective security system based on the best available options."

Click here to download the full report Penetration Testing of Corporate Information Systems


  1. The dataset consists of 23 projects involving internal penetration testing performed in 2019 for clients that gave their consent to use such data for statistical purposes.
  2. During an internal pentest, we simulate attacks from a malefactor located inside the company (for instance, attacks performed with typical employee privileges or as a random visitor).