Endpoint and VDI Penetration Test

The Endpoint and VDI (virtual desktop infrastructure) penetration test validates the overall security level of the systems on which your employees and external contractors perform most of their daily work. Our specialists simulate attacks with standard user privileges, whether from an intentionally malicious user or a malware victim. For physical workstations, their resilience in the event of physical theft is also verified.

Benefits

The daily work of employees inevitably involves processing documents from third parties and visiting unknown websites. Unlike servers and other infrastructure, where available functionality can be restricted to a minimum, endpoint workstations and VDI must be usable for these activities. Therefore they represent the first line of defense against malware attacks on your internal systems.

A successful attack on a workstation, whether it involves deactivating security agents or escalating privileges, is often one of the first steps an attacker takes. The foundation of endpoint security are precisely configured security policies. However, even with proper configuration by the organization, third-party applications, whether pre-installed or offered through the Software Center (SCCM) and Company Portal (Intune), may contain vulnerable components and thus compromise the security of the endpoint or VDI.

VDI shared among multiple users are particularly critical. A successful attack often allows the attacker to take control of all users currently logged into the same machine.

Workstations are usually part of complex environments (especially Active Directory or Entra ID domains), so a complete assessment of their security should also include an analysis of these environments. Therefore, we recommend this test especially as a supplement to or one of the phases of the Penetration Test – Insider Threat.

Testing Process

For the test, we are given a fabricated employee identity that should correspond as closely as possible to a regular user's access: an MS Windows domain account, an email account, etc. This identity will be used to access an endpoint workstation (a standard company laptop/desktop) or VDI.

The following tests, among others, are performed under these conditions:

• Enumeration of installed security agents (AV, EDR, XDR) and attempts to bypass, disable, or add exclusion rules for them.

• Analysis of deployed security configuration policies (AppLocker, WDAC, disabled functionalities, Point and Print rights).

• Assessment of the impact of available third-party client software on endpoint device security.

• For physical devices, data-at-rest security tests (FDE, BitLocker, TPM/PIN).

• Testing different methods of tunneling network traffic into the internal network and exfiltrating data.

• Attempts to escalate privileges using identified vulnerabilities and to compromise the endpoint device/VDI.

• Attacks on other users of shared VDI.

• Tests of VDI components (Citrix NetScaler, StoreFront, VMware/Omnissa Horizon, Workspace ONE) and virtualized applications.

All findings, along with proposed recommendations, are presented in the final report.

Other Types of Tests

Penetration Test – Insider Threat is dedicated to the systematic discovery and exploitation of vulnerabilities in the internal environment. Security analysis of the endpoint is therefore a standard part of it. Although less attention may be paid to the device itself, it is evaluated in the context of the entire environment and domain.

Red Teaming focuses on a more thorough simulation of the entire attack process while also specifically testing the detection capabilities and processes of the tested organization. Attacks on an endpoint workstation can be one of the tested scenarios.

In addition to the tests described above, we also provide our clients with many other types of penetration tests. For a full list, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.