Bypassing Modern Defenses: The Reality of Small Business Compromise

TLDR: This post breaks down how attackers move from initial phishing to full domain compromise in small business environments. By leveraging techniques like ISO-based MOTW bypasses, NTLM relaying, and RDP shadowing, researchers can demonstrate how easily misconfigured internal networks fall. Security teams must prioritize disabling SMB signing, enforcing strict local administrator policies, and implementing robust EDR to stop these lateral movement chains.

Small businesses are often treated as an afterthought in threat modeling, but they are the primary hunting ground for attackers looking for a path of least resistance. While enterprise environments are hardened with layers of security, small businesses frequently rely on flat networks and default configurations that make lateral movement trivial. The recent research presented at BSides SLC 2023 highlights a critical reality: if you can get a single foothold, you can often own the entire domain before the end of the day.

The Phishing Chain: Bypassing Mark-of-the-Web

Initial access remains the most reliable way to enter a network, but modern Windows security features like Mark-of-the-Web (MOTW) have made traditional macro-based phishing significantly harder. When a user downloads a file from the internet, Windows tags it, and Office applications will block macros by default.

Attackers have pivoted to using ISO files to circumvent this. Because an ISO is a container, the files inside do not inherit the MOTW tag when extracted. By sending a malicious document inside an ISO, an attacker can trick a user into opening a file that executes arbitrary code without the usual security warnings. This technique is a masterclass in understanding how operating systems handle file metadata. Once the user mounts the ISO and opens the document, the attacker gains their first execution point.

Lateral Movement via NTLM Relaying

Once inside, the goal is to escalate privileges and move laterally. A common misconfiguration in small business environments is the lack of SMB signing. Without it, an attacker can perform an NTLM relay attack.

By using tools like Responder or Impacket, an attacker can intercept authentication requests and relay them to other machines on the network. If a domain administrator happens to authenticate to a compromised machine, the attacker can capture that hash and relay it to a domain controller to gain full administrative access. The mechanical simplicity of this attack is what makes it so dangerous. It does not require complex exploits or zero-days. It only requires a network that trusts its own internal traffic too much.

RDP Shadowing and Credential Harvesting

Another often overlooked vector is RDP shadowing. While RDP is a standard administrative tool, it can be weaponized to monitor users in real-time without their consent. By modifying registry keys to enable shadowing, an attacker can silently join an active user session.

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4

Once the shadow session is active, the attacker can watch the user log into sensitive applications, such as banking portals or internal ERP systems. If the user has saved credentials or is using a weak password policy, the attacker can harvest them directly. This is not just about technical compromise; it is about observing human behavior to bypass authentication controls that are otherwise difficult to break.

The Role of Local Administrator Privileges

The most significant failure point in these environments is the widespread distribution of local administrator rights. When every developer or IT staff member has local admin access, the attacker does not need to find a vulnerability to escalate privileges. They are already there.

Dumping the LSASS process becomes trivial when you have the necessary permissions. Using tools like Mimikatz, an attacker can extract clear-text credentials or NTLM hashes from memory. Once you have the credentials of a domain admin, the game is over. The network is no longer a collection of individual machines; it is a single, unified target.

Defensive Strategies for the Real World

Defending against these attacks does not require a massive budget, but it does require discipline. First, enforce SMB signing across the entire domain to kill relay attacks. Second, remove local administrator rights from standard user accounts. If a user needs to perform an administrative task, use a separate, restricted account for that purpose.

Finally, move beyond basic antivirus. Modern Endpoint Detection and Response (EDR) solutions are designed to detect the behavioral patterns of these attacks, such as process injection or suspicious registry modifications, rather than just looking for known malicious file signatures.

Security is not a static state. It is a continuous process of auditing your environment and closing the gaps that attackers are actively exploiting. If you are a pentester, use these techniques to show your clients exactly where their trust is misplaced. If you are a defender, start by assuming your perimeter is already breached and focus on making the internal environment as hostile to an attacker as possible. The goal is not to be perfect, but to make the cost of compromise higher than the value of the data you are protecting.