SOC and Credential theft
Jul 6th, 2018 by Jesper Kråkhede
Last months I encountered a strange situation at a customer. I did a security review and deployed some simple log analytics tool to identify where Domain Admins logged on as we suspected that an intruder was roaming around in the environment. To my customer´s fear we more or less instantly saw that the Administrator account was used on several servers for logging on, and that account was supposed to be unused. The SOC had not reported it and when I investigated the issue it turned out that the SOC was only looking for network intrusions and malware on clients and servers. This attacker used file-less malware and Credential Theft and as the anti-malware the customer used was not up-to-date it didn´t fully detect some memory functions commonly used by the malware the SOC was blind.
In the aftermath we could conclude that the reason for the SOC not seeing was that the cost for network logging was extensive so they decided to rely on that only as getting the server logs would have been to expensive.