How can attackers infiltrate your systems, access credentials and move laterally to take control of your network?  More importantly, what can you do to help ensure this never happens to your organization?  

Let’s start with understanding the attack.  

A seasoned cyber criminal steals or buys leaked credentials tied to your organization.  These are then used to access your Microsoft Exchange server and scan your network.  Allowing discovery into everything connected to it.  From here, a popular network infiltration platform is used to help automate the complex, multi-stage attack.  An exploit is uploaded in encoded chunks in order to evade detection.  Then deletes traces of the attack before assessing what privileges they have gained.  Passwords and applications are searched to see what can be accessed through incognito mode in order to hide tracks of the attack.  It then finds an existing user with higher level permissions to impersonate.  New admin credentials are added enabling direct access in the future even if the attack to this point is detected and mitigated.

As an admin, the attack can now pivot to the domain controller for complete unfettered command of the entire network.  Allowing exploitation of all systems and potentially other malicious attacks.  Including deploying ransomware, exfiltrating data, and locking out legitimate administrators. The damage is done.  

Let’s take an alternate look at how Secureworks Taegis XDR detects multiple points of this attack and puts the power back into the hands of your team to mitigate the damage.  From the initial scan, Taegis recognizes the scripts being used by the attacker and triggers over 100 alerts from this step alone, including click down details on exactly what is going on with the vulnerable exchange server.  

When the exploit launches, Taegis detects the web shell and encoded fragments along with the obfuscated final command code and even maps it to several miter attack techniques.  Further click down details show exactly what the attacker is doing, including the command to delete his malicious code to hide his tracks.  As the cyber criminal gains higher level permissions, Taegis sees the command through the Secureworks red cloak agent on the exchange server.  Including the addition of the new malicious administrator credentials, which can be used in the domain controller.  

Taegis XDR sees and records everything.  Mapping each step to the miter attack framework and prioritizing alerts, broad security integrations and automation playbooks also help to facilitate rapid coordinated response across security controls.  The attack is stopped.  

Secureworks Taegis XDR provides battle tested extended detection and response to reduce your risk, improve your visibility, maximize your existing security investments and uplevel your security staff skills.