I was delivering a training with an ExtraHop Reveal(x) customer recently. We started the morning by looking at what I call the "overnight view," starting with detections over the last eighteen hours.
(A detection is ExtraHop's machine learning environment calling something to your attention; "hey, you should look at this.")
A detection for "Network Share Enumeration" grabs our attention. When you detect network enumeration, it means there's some anomalous scanning behavior happening—it could mean someone is seeking valuable files to go after. It's a common network enumeration technique.
Click. We open the detection card.
As I am recapping what a detection is, a student points out that the offender is a mission-critical server that's supported by a third party vendor.
Ok, who did the server enumerate?
It enumerated network shares on hundreds of different machines in a large chunk of network space.
What's double plus odd is that the server is enumerating network shares that it has no business talking to. The million dollar question here: is this an attack?
Wait, Port Scans?
As we are working through this single detection, we look closer at the related detections timeline. We see two other detections with the same offender around the same time: 1) Ping Scan and 2) TCP SYN Scan. It's clear, looking at the timeline, that those ping and SYN scans happened before the network enumeration. It's a classic pattern of "scan, then enumerate."
A note: the Related Detections timeline is a pretty sexy feature in ExtraHop Reveal(x). Below we've shared an example, pulled from our online demo, that shows some similar detections to the ones in this case. The timeline can be viewed by clicking "investigate this detection" at the bottom right of any detection card.
We look at Ping Scan (a ping scan is a rudimentary way of finding things on the network). It seems odd that the server would try and aggressively discover stuff. This server manages pretty static devices that aren't going to just pop on or off the network. They aren't printers.
We look at the TCP SYN Scan. The detection shows the server attempted more than ten thousand different connections to a set of common ports. Again, this is interesting. And really unusual for this case.
We dive deeper into the server and look at L7 metrics. We find HTTP Client activity from the server for a variety of URLs, all containing nice%20ports%2C/Tri%6Eity.txt%2ebak
We head to Cyber Chef and URL Decode them. What we find is an almost dead give away of an nmap scan (nmap is a network scanning tool. It's tremendously useful, for forces of good or evil).
Note: Cyber Chef is a nifty tool you can run locally or over the network. It's AWESOME for unpacking obfuscated payload. It was developed by GCHQ (UK's NSA).
We pull packets for a few of these requests using packet capture in Reveal(x). Yup, it's really happening.
By now we've moved out of "what is happening" and are moving into "what the hell?!" with a dose of "need to document these."
Monitoring Third Party Vendors
Customer: "Our third party vendor has remote access to several of our servers."
Ok. We look. No other server the vendor has access to has exhibited this same behavior in the past two months. The behavior the detection raised is distinctly anomalous for this environment. Suspicious.
As we are working through this, an admin points out that she queried the server and sees that an IP scanner is installed. The customer has a list of approved tools and this tool is not on that list.
An admin points out that the logs indicate the scanner was installed by the third party vendor.
At this point people are jumping into the training session left and right.
We recap what we found and begin collecting screenshots, record queries, and ultimately packets.
As we broke for lunch there was active talk of the customer reaching out to their vendor and having a conversation.
Read Act Two to hear what that vendor might possibly have to say for themselves.