Monday, December 4, 2023
HomeCyber SecurityTales from the SOC - Detecting inside reconnaissance

Tales from the SOC – Detecting inside reconnaissance

Tales from the SOC is a weblog sequence that describes latest real-world safety incident investigations carried out and reported by the AT&T SOC analyst group for AT&T Managed Prolonged Detection and Response prospects.

Government abstract

Inside Reconnaissance, step one of many Cyber Kill Chain, is the method of gathering inside details about a goal community to determine vulnerabilities that may probably be exploited.  Menace actors use the data gained from this exercise to resolve the simplest approach to compromise the goal community. Susceptible companies might be exploited by menace actors and probably result in a community breach. A community breach places the corporate within the arms of cybercriminals. This may result in ransomware assaults costing the corporate thousands and thousands of {dollars} to remediate together with a tarnished public picture. 

The Managed Prolonged Detection and Response (MXDR) analyst group acquired two alarms concerning an asset performing community scans inside a buyer’s atmosphere. Additional investigation into these alarms revealed that the supply asset was capable of scan 60 distinctive IPs inside the atmosphere and efficiently detected quite a few open ports with identified vulnerabilities.


Preliminary alarm overview

Indicators of Compromise (IOC)

The preliminary alarm that prompted this investigation was a Darktrace Cyber Intelligence Platform occasion that was ingested by USM Anyplace. The precedence degree related to this alarm was Excessive, one degree beneath the utmost precedence of Essential.  Community scanning is usually one of many first steps a menace actor takes when trying to compromise a community, so it’s a crimson flag any time an unknown gadget is scanning the community with out permission. From right here, the SOC went deeper into related occasions to see what exercise was going down within the buyer’s atmosphere. The picture proven beneath is the Darktrace alarm that initiated the investigation.

Darktrace alarm

Expanded investigation

Occasions search

Using the filters constructed into USM Anyplace , the occasions had been narrowed right down to the particular supply asset IP tackle and Host Identify to solely question occasions related to that particular asset. The next occasions had been discovered that present extra details about the reconnaissance exercise that was being noticed.

Recon activity 1

recon activity 2

Occasion deep dive

Upon reviewing the logs from the occasions proven above, the SOC was capable of decide that the supply asset scanned two separate Classless Inter-Area Routing (CIDR) blocks, detecting, and scanning 60 distinctive inside units for open ports. As proven within the log snippets beneath, the scans revealed a number of open ports with identified vulnerabilities, most notable is Server Message Block (SMB) port 445 which is the important thing assault vector for the notorious WannaCry malware. Wanting on the logs we will additionally see that the supply asset detected port 5985, the port utilized by Home windows Distant Administration (WinRM). WinRM can be utilized by menace actors to maneuver laterally in environments by executing distant instructions on different property from the compromised host. These distant instructions are sometimes batch recordsdata performing malicious exercise or implanting backdoors to keep up persistence within the community.  Lastly, we will see the asset scanning for Light-weight Listing Entry Protocol (LDAP) port 389. LDAP visitors, if not encrypted correctly, might be sniffed with Wireshark and probably expose delicate data similar to usernames and passwords.

event deep dive

Reviewing for added indicators

After the preliminary evaluation of the supply asset, we pivoted our occasion search to incorporate property inside the goal IP ranges. Utilizing the filters in USM Anyplace, the SOC was capable of search the occasions within the prospects atmosphere for the focused IP addresses and analyze all occasions trying to find any anomalous exercise that will point out a breach came about. Additional overview into the shopper’s community didn’t reveal any further exercise following the scanning. The SOC was unable to search out any proof that the menace actor superior from reconnaissance to weaponization, or additional up within the kill chain. This means that the exercise is remoted in the interim.


Constructing the investigation

As a result of nature of reconnaissance scanning, this might probably be a menace actor trying to find susceptible companies on property inside the atmosphere. The client was suggested to quarantine the asset off the community and examine the supply of the scanning exercise to find out if a compromise came about. It was beneficial to run a full Antivirus scan on the asset to make sure that this exercise was not associated to malware trying to maneuver laterally of their atmosphere.

Buyer interplay

The client was notified through telephone name as outlined of their Incident Response Plan (IRP). The client was capable of isolate the asset off the community to forestall any further community scans. They then started to research the asset by performing a software program stock of the machine to find out the supply of the community scanning and reviewing the Home windows Occasion Viewer logs to find out the consumer account related to the scanning exercise. The fast response of the MXDR group allowed the shopper to research the asset earlier than any further actions came about because of the preliminary community scans that triggered the alarms.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments