Restricted Application Breakout Test
Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic
A Restricted Application Breakout Test identifies ways in which a user of your Citrix or other restricted desktop environment may be able to access functionality or resources which they are not authorised to access.
Restricted application environments can be complex – often easier to get working than they are to get working securely. Our breakout testing ensures that no-one can access systems or data that they are not authorised to access – whether employees or attackers from outside your organisation.
Can your users only access the applications or functionality that you’ve provisioned?
Is it possible for a malicious insider to gain command-level access to the underlying operating system using a set of compromised credentials?
Whether you’re using a Citrix or the latest VDI environment, our CREST accredited consultancy team will check your restricted application environment has been correctly set-up in line with security best practices and that your users can only access authorised functionality.
What types of vulnerabilities can a Restricted Application Breakout Test identify?
Conducting a breakout assessment on your restricted application environment helps you identify ways in which a malicious user who has access to the restricted application may be able to circumvent Some common vulnerabilities that we regularly find during Citrix and restricted application breakout tests include:
- Command Prompt access possible
- Horizontal or vertical privilege escalation
- Data exfiltration possible
- Unrestricted Office macros
- Local exploits possible
- Local server access possible from restricted application
- Unrestricted network access
- Batch file execution possible
Testing Process & Methodology
During the a restricted application breakout assessment, the following activities give examples of what our CREST accredited pen testing team will attempt using a standard Domain User account:
Gaining Command Prompt Access
If an attacker can gain access to the command prompt or PowerShell, they have the potential to quickly gain control of the server, install malware or cause damage. We will test a number of attack vectors including: abusing dialog boxes, Help menus and even the MS Paint app.
Executing Code Through Microsoft Office Macros
Access To Adjacent Network Hosts
If an attacker is able to compromise your restricted application server, Virtual Machines on the same host and other physical servers on the same network as the server could be targeted by the attacker. We will check that it is not possible for an attacker to jump from the Citrix host or restricted application server to other systems on your network.
Data Exfiltration
In most restricted desktop environments, strict controls are applied to prevent sensitive data from being sent outside of the organisation.
During the breakout test, our consultants will attempt to exfiltrate files out of the restricted application environment to one of SecureTeam’s remote servers over the Internet.
Although traditional file transfer methods (such as FTP or SMB) may be restricted by your perimeter network controls, other protocols (such as DNS or ICMP) will be attempted, as often these may pass through web proxies and internal DNS servers
Server Operating System Access
Regardless of whether your Citrix or restricted application server is running on Windows or Linux, if the host operating system can be accessed, it can be used as a stepping stone to compromise the entire server and then pivot an attack to other servers on the same network.
File System Access
The file system can be accessed in a number of ways if the restricted application environment is not correctly hardened. This could allow data to be exfiltrated, malware to be installed or the server configuration to be altered.
Exploit Code Execution
During the assessment, we will identify ways in which malicious code can be uploaded to the restricted application server. In a real-life attack, malicious users will often attempt to upload exploit code and hacking tools to the server so that they are able to further their attack. We will identify file upload functionality in the published applications and locate areas that may allow malicious applications to be uploaded by your users.
Vertical & Horizontal Privilege Escalation
Vertical Privilege Escalation is the ability for an attacker to elevate their rights to a more powerful user account, such as ‘Local Administrator’ or to run an application with those privileges.
Horizontal Privilege Escalation could allow the attacker to switch to a different user account in order to take advantage of the security permissions that the other user account has been granted.
The ability to do either of these things could enable an attacker to leverage the resources of the restricted environment server to establish a beachhead in your network and use that to launch further attacks from inside your network.
Preparing for your Application Breakout Test
- A signed & completed Testing Consent Form
- Logon credentials for a standard domain user account
- Access to your restricted application / Citrix logon portal
Reporting
Our clear & concise penetration test reports enable everyone in your organisation to understand the vulnerabilities that have been identified and the real-world risk that your systems and data are exposed to.
Our reports include:
- A “board-level friendly” Executive Summary
- Comprehensive, evidence-based vulnerability reporting
- Risk-based vulnerability ranking with CVSS Scoring
- Technical references and links for further research by your technical team
Debrief Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
Why Choose SecureTeam?
- UK-based Consultancy Team
- Customer Focused
- Security Vetted Consultants
- Ethical Scoping & Pricing
- 25+ Years Industry Experience
- ISO 9001 & 27001 Certified
- CREST Accredited
- Comprehensive Reporting
Ready to take your cyber security to the next level ?
Trusted Cyber Security Experts
As an organisation, SecureTeam has provided penetration testing and cyber security consultancy to public & private sector organisations both in the United Kingdom and worldwide. We pride ourselves in taking a professional, pragmatic and customer-centric approach, delivering expert cyber security consultancy – on time and within budget – regardless of the size of your organisation.
Our customer base ranges from small tech start-ups through to large multi-national organisations across nearly every sector – in nearly every continent. Some of the organisation’s who have trusted SecureTeam as their cyber security partner include:
Customer Testimonials
"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"
IoT Solutions Group Limited
“First class service as ever. We learn something new each year! Thank you to all your team.”
Royal Haskoning DHV
“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”
Capital Asset Management
“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”
Derbyshire County Council
“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”
AMX Solutions
“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”
Innovez LtdGet in touch today
If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.
Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.
We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.
Get in touch with us today and a member of our team will be in touch to provide you with a quotation.
Subscribe to our monthly newsletter
If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter.
We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all our cyber security news and articles that we’ve released that month.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)