Table of Contents
“At 12:07:58 the CyberMaxx SOC detected enumeration activity on a host via our installed agent…”
This article will cover the anatomy of a real-time cyber attack and outline how CyberMaxx is uniquely designed to provide what we define as “Big R” response.
CyberMaxx takes its responsibility to defend seriously. Threat actors are working tirelessly to gain access to corporate systems and our Security Operations Center (SOC) is intervening to contain advanced threats to protect our customers regularly. This is where our “Big R” response commitment really shines which to us means response, containment, and eradication as part of SOC operations – going well beyond just escalation.
Our zero-latency response model is engaged whenever a suspected security compromise is detected. It’s designed to compress the time between initial detection and a specific containment action. As part of CyberMaxx’s “Big R” response commitment, we will thoroughly investigate every incident to ensure it is fully contained and that your environment is completely remediated.
Here’s an example of a real situation a customer experienced where our SOC sprang into action with the “Big R” response.
Threat Hunting and Detection
At 12:07:58 the CyberMaxx SOC detected enumeration activity on a host via our installed agent. This activity was flagged by a custom CyberMaxx watchlist designed to detect the use of net.exe for querying sensitive Active Directory groups, such as domain administrators and local administrators. The specific command observed was: net group “domain admins” /do
This command is highly unusual and can be exploited by threat actors to view members of the domain administrators’ group. Such enumeration can lead to privilege escalation and further compromise of the environment.
Proactive Response
The activity was executed by the “Administrator” account, which is often a default account, adding to its suspicious nature. While system administrators may legitimately use such commands for troubleshooting, CyberMaxx SOC analysts identified irregularities in its timing and execution. Recognizing this anomaly, the SOC promptly contacted the customer to verify whether an authorized administrator had executed the command. The customer quickly confirmed it was unauthorized, prompting the SOC to isolate the host and recommend immediate disabling of the “Administrator” account.
Containment
After the initial SOC response, the case was escalated to the Threat Response Team (TRT) for further investigation. The TRT identified additional unusual activity on another host, involving a legitimate internal tool. Although this activity was later deemed legitimate, contextual clues—such as timing—raised concerns. Further analysis revealed that enumeration and scripting activities were also being conducted using the “Administrator” account. Given the potential lateral movement within the network, the SOC escalated the matter to the Incident Response team to assess the full scope of the compromise.
Remediation
Following escalation, the Incident Response team engaged with the customer to present findings and recommend remediation steps. During this discussion, an unmonitored log source was identified as the point of compromise. The investigation revealed that the incident originated from a compromised VPN account, “Administrator,” which had domain administrator privileges. The threat actor either possessed or brute-forced the account credentials to access the client’s VPN via their firewall.
As the firewall logs were not initially monitored by CyberMaxx, the suspicious login activity went undetected. However, retrospective analysis of the firewall logs confirmed unauthorized access from a specific IP address. The customer swiftly blocked this IP and implemented geo-blocking for all non-business-related countries.
To mitigate further risk, CyberMaxx recommended the following actions:
- Force sign-out of all active VPN sessions to terminate unauthorized connections.
- Conduct an audit of all VPN accounts to identify any anomalies.
- Integrate firewall logs into the SIEM for continuous monitoring and enhanced visibility.
These measures helped contain the compromise, prevent further lateral movement, and strengthen security posture against future threats.
Ongoing Improvement
Once the initial response was complete, we recommended the following additional remediation and recovery actions to secure their environment further and better protect from future attacks:
- Update their firewall to the latest version and reboot in case this compromise was due to a vulnerability in the firewall’s firmware.
- Reset all domain administrator passwords
- Reset all end-user passwords
- Break trust between active directory and hypervisor
- Implement MFA on the VPN going forward
These recommendations were provided to the client due to activity observed in the event logs on the primary domain controller including attempted credential manager access. This may be indicative of password viewing or exporting done by the threat actor. Out of an abundance of caution, CyberMaxx recommended these actions be done to ensure the security of the client moving forward.
Outcome
It was determined that the compromised VPN on the firewall did not have multifactor authentication (MFA) configured, so the threat actor could access the environment as an administrator by compromising the password. Due to our recommendations, the client implemented MFA on this VPN going forward.
The CyberMaxx SOC team was able to identify and remediate the threat actor before there were any notable actions or damage took place. After detection, the SOC swiftly eradicated the threat actor and contained the environment to prevent further compromise. In addition, as part of the recovery effort, we were able to provide further assistance with long-term client security solutions to prevent a compromise of this nature from happening again.