# HollowRoot — Insider Threat and IAM Breach Simulation HollowRoot is a full-scale red and blue team simulation project designed to showcase the consequences of poor identity governance, excessive internal trust, and hybrid cloud mismanagement. The environment centers around a fictional financial institution, **Blackridge Bank**, and draws inspiration from real-world breaches such as Uber, Capital One, and Microsoft Storm-0558. This project documents how a rogue intern escalates privileges from a limited user account in on-premises Active Directory to full control of the organization's Azure cloud environment — using only misconfigurations, overprivilege, and native tools. --- ## 1. Enterprise Environment Setup ### Active Directory (On-Prem) - Domain: `blackridge.local` (Windows Server 2022) - OU structure: top-level by site (`Headquarters`, `Lincoln`, `Remote`), with sub-OUs for each department (`IT`, `Finance`, `HR`, etc.) - 100 users deployed via PowerShell with realistic names and password patterns - RBAC enforced using `GG_`-prefixed global groups (e.g., `GG_CS_Users`, `GG_HR`) - Shared department folders mapped via GPO and NTFS permissions - Intern and executive accounts intentionally overprivileged for red team escalation Deliberate weaknesses: - Password policy allows short, guessable passwords - Intern `edrake0` added to both IT Admins and Domain Admins - Executive `sbanks` given on-prem Domain Admin and recreated in cloud - Logging and auditing disabled or left at defaults --- ### Azure Cloud Environment - Cloud domain: `blackridgebank.com` (Microsoft 365 / Entra ID) - Azure users created manually, not synced with AD, reusing passwords - Group: `CloudAdmins` granted full Global Administrator rights - Members include finance users and non-technical executives - No MFA or conditional access enabled across any accounts Misconfigurations introduced: - Key Vault access granted to all CloudAdmins (including non-technical users) - Public blob storage left accessible without authentication - Hardcoded cloud admin credentials embedded in an on-prem `.ps1` script - Duplicate identities created between AD and Azure with reused credentials --- ## 2. Insider Threat Scenario The intern (`edrake0`) begins with limited read-only permissions but leverages several weaknesses to escalate: - Locally stored credentials from overmapped drives and exposed GPOs - Abused access to an old `.ps1` script containing Azure login logic - Lateral movement to accounts with hybrid privileges - Persistence established using native tools and excessive cloud roles The simulation culminates in full Azure compromise and exfiltration of sensitive finance data via public blob storage. --- ## Project Goals HollowRoot is designed to: - Model realistic privilege escalation paths using misconfigurations and trust abuse - Demonstrate how hybrid AD–Azure environments can fail without lifecycle governance - Explore the relationship between insider threats and poor access control - Provide a platform for both red and blue team testing in an enterprise simulation --- ## Status - ✅ Phase 1 — Environment and misconfigurations deployed - ✅ Phase 2 — Insider enumeration and Azure escalation simulated - 🔄 Phase 3 — Defensive analysis and incident response (in progress) --- ## Phase 3 — Blue Team Response This phase focuses on answering a critical question: **How could this have been detected or prevented before compromise?** Using the evidence from Phase 2, we will: - Analyze attacker behavior and escalation steps from log and control perspectives - Document specific controls that would have stopped or slowed the breach - Provide actionable recommendations for both on-prem and Azure environments Key areas under review: - Logging visibility and coverage (on-prem and cloud) - Role separation and group membership audits - Least privilege enforcement - Conditional access and MFA policy gaps - Identity lifecycle management failures (e.g., duplicate accounts, password reuse) The final deliverable will include: - A high-level incident summary from a defender’s perspective - Missed detection opportunities - Hardening and detection recommendations - Suggested mitigations for each abused path This phase transforms the project from an offensive showcase into a full incident simulation — useful for training, portfolio demonstration, and real-world preparedness.