Reveal(x) ‘Lit Up Like a Christmas Tree’ in Red Team Exercise

Steve Dakhe didn’t know what to expect when he received an urgent call from an ExtraHop customer following an unexpected red team exercise. As it happened, Dakhe, a customer success manager with ExtraHop, had no need to worry; the customer was calling him to explain how well the ExtraHop Reveal(x) network detection and response (NDR) platform performed.

Reveal(x) detected more than a dozen attacker tactics and techniques the red team used, according to the customer’s SOC director. Reveal(x) “lit up like a Christmas tree,” he said, and saw “everything” when attackers installed a command and control (C2) beacon, moved laterally, employed living off the land techniques, and more.

On the First Day of Christmas My Red Team Sent to Me: Social Engineering

The red team exercise began with a social engineering attack in order to bypass the organization’s email security. Members of the red team, pretending to be part of the organization’s IT staff, called employees and asked them to install would-be network speed testing software. A couple of employees took the bait and downloaded malware disguised as the speed testing software onto their computers.

The malware on employees’ computers–which the company’s endpoint security tools didn’t detect–used PowerShell and WMIC to prompt the remote launch of a Cobalt Strike beacon. Reveal(x) immediately picked up on that activity. And when the Cobalt Strike beacon established a command and control (C2) connection, Reveal(x) picked up on that, too.

The 12 TTPs of a Red Team Christmas

One by one, Reveal(x) continued to light up, exposing multiple tell-tale signs of malicious activity –most of which can only be detected on the network–including enumeration, lateral movement, attempts to connect to the organization’s Active Directory domain, RDP scans, RDP remote sessions, new RDP connections to a domain controller, a Shellshock HTTP exploit attempt, Log4Shell injections, DNS zone transfer attempts, a suspicious user agent, LDAP wildcard queries, and data exfiltration.

A week after the social engineering attack, the red team worked with company insiders to attach an unauthorized computing appliance to the network. Through the appliance, the red team used the GetUserSPNs.py attacker tool in an attempt to launch Kerberoasting attacks, but Reveal(x) alerted the security team to those efforts.

Attaching a new appliance to the network may not be the most subtle approach, but the red team generally tried to stay under the radar. Many of the tactics it used are classified as medium risk by Reveal(x) and other security platforms.

For example, Kerberoasting activity earns a risk score 65 on the 100-point scale used in Reveal(x) detections, with 100 representing the highest risk. Ping scans, another frequent tactic used by the red team, rates a 37 on the risk scale. A DNS internal reverse lookup scan is also a 37.

“One of those activities, like a DNS transfer, doesn’t look bad, but along with a ping scan, along with an RDP attempt, it starts to add up,” the SOC director said. “If you put them all together, it begins to look serious.”

Reveal(x): A Gift to Security Teams and a Lump of Coal for Attackers

Reveal(x) not only did a great job on its own, but it also worked well with the organization’s other security infrastructure, according to the SOC director.

“Reveal(x) is a great tool for detecting post-compromise activity,” he said. “It gave us the network visibility and the detections we needed to track and prevent what the red team was trying to do.”

See Reveal(x) in action: check out thesolution demo