Detecting a Red Team Attack with UEBA and EDR

A close look at a real-world example of threat detection with Interset UEBA for CrowdStrike.

Cybersecurity threat hunters are an essential part of cyber defense. Their role to be constantly vigilant and look for burgeoning cyber attacks. In the past, I have blogged on the importance of leveraging behavioral analytics to generate high-quality security leads that security teams can investigate. In speaking with customers, we understand that security teams have a need for these leads. Unfortunately, the investigation too often concludes with the realization that there are activities the security tool did not know about, or that the user or machine is exhibiting bad cyber hygiene that could lead to a potential threat or expansion of the organization’s attack surface.

The question becomes, how do we know that if an attack takes place? Will the analytics lead us to the attack? In my experience, absolutely. I have seen real-world bad actors caught with analytics!

Recently, Interset was asked to work with CrowdStrike endpoint detection and response (EDR) data at a large enterprise. CrowdStrike Falcon provides incredible details that are a great source of behavioral indicators for many different types of entities. The data set was ingested daily, and over the several months of data ingested, a Red Team attack was performed. This attack was well executed and used both known attack toolkits and live-off-the-land methods. It was interesting to see the behaviors that led to the detection of the attacks. What follows is a high-level overview of what was seen.

The attacker needed to know what are valid user accounts and leveraged an OWA timing attack. It was detected by a sudden spike in clear text passwords. The anomaly was unusual login activity to the OWA server and the unusual logon type.

Following this, the attacker used a remote attack tool, most likely Mimikatz. The attack was against a known administrator server and was detected by the server running unusual processes.

After an administrator account was compromised, it was used on an administrative laptop to launch reconnaissance attacks. The attacks enumerated directories on other machines looking for interesting files that may contain passwords. This was detected by an unusual volume of processes in an hour, as well as unusual share activity. A hidden share was used on each attacked machine to return the results of the attack tool. The local registry hive was also extracted from this administrative laptop.

It is believed from the extracted hive that the domain administrators account was compromised.  This account is now seen doing lateral movement to other machines and launching more reconnaissance attacks. The behaviors that indicated this was unusual logins for the administrator account, and unusual process use on the machines the administrator logged into.

At this point, there was a secondary attack where the list of the usernames is used to see what users are using a default password.  The attacker used a python script to try and map a user drive for each username with a default password. This was detected from the high volume of processes being generated by the script and a large number of failed authentication attempts.

The final attack is a sustained series of WMI attacks against a number of servers in the organization. These attacks could not be exactly detailed, but it was detected by anomalous process activity on those servers and an unusual volume of processes on the machine carrying out the attack. Since Interset stores the raw events, we were able to glean from the commands being used the attack tool and the IP addresses being used by the attacker for their initial compromise.

What this scenario makes clear is that endpoint data truly holds a treasure trove of clues about potential security threats. In this particular instance, we were able to pinpoint numerous behavioral anomalies that revealed an attack had been taking place. Thankfully, it was a Red Team attack that this company’s data was hiding, but it could easily have been (and might be in the future) an attack from a malicious outsider. Should a real attack become a reality, Interset’s UEBA has proven that it’s ready to quickly spot clues left behind by an attacker and initiate the necessary steps to mitigate the threat before serious damage is done.  

This Red Team attack is just one of many real-world case studies in which we’ve seen Interset UEBA for CrowdStrike detect difficult-to-find threats. We’d love to share more use cases with you and discuss how Interset UEBA for CrowdStrike can better prepare your organization for security threats. Contact us today to schedule a chat.

Check out our news announcement about Interset’s partnership with CrowdStrike, as well as the announcement of CrowdStrike’s new App Store, featuring the Interset UEBA app!