A 9-day Red Team engagement at one of Turkey's top 5 banks
A 9-day Black Box Red Team engagement for a mega-bank. Phishing → endpoint → AD → core banking jump server. 12 critical · 28 high findings. All vulnerabilities were closed in 30 days · stayed clean for 18 months.
01 The Challenge
The bank's internal security team requested an external Red Team for the annual audit. The goal: how would a real APT or organized crime group attack? The rules: no scope restrictions · the prod environment included · the internal team unaware. The question: 'Through which door of the bank can we get in, and from there can we reach core banking?'
02 DSET's Approach
Day 0 · OSINT
LinkedIn · GitHub · pastebin · darkweb scanning. 3 employee e-mails + 1 leaked credential were identified. The bank's AWS S3 bucket was misconfigured · no data but structural information exposed.
Day 1-2 · Initial access
A targeted phishing campaign · the CFO's secretary clicked · the payload bypassed AppLocker (using LOLBins). Persistence was established.
Day 3-4 · Privilege escalation
Local admin obtained · LSASS dump · 3 different domain user credentials. A service account hash via Kerberoasting · offline crack.
Day 5-6 · Lateral movement
4 different jump paths to reach Domain Admin access. The shortest: core banking subnet access in 11 hops.