Catching the Invisible: MXDR Detection of Advanced Lateral Movement

Advanced Persistent Threat (APT) groups are among the most dangerous adversaries organizations face. They are patient, resourceful, and skilled at hiding within legitimate network traffic. In this article, we detail how Apsispoint's MXDR service detected and stopped APT29 (Cozy Bear) as they moved laterally through a client's network using living-off-the-land techniques.

---

Incident Overview

| Detail | Value | |---|---| | Client | Global Healthcare Technology Provider | | Threat Actor | APT29 (Cozy Bear) | | Initial Access | Compromised third-party vendor credentials | | Primary Techniques | Living off the Land, Pass-the-Hash | | Dwell Time Before Detection | 4 hours | | Endpoints Compromised | 3 (contained before further spread) | | Data Exfiltrated | 0 bytes |

Key Insight: APT29 used exclusively legitimate Windows tools (PowerShell, WMI, PsExec, RDP) to move through the network, making traditional signature-based detection nearly impossible.

---

Attack Progression Timeline

Hour 1: Initial Access via Vendor Credentials

At 11:15 PM EST, the threat actor authenticated to the client's VPN using credentials compromised from a third-party IT vendor. The credentials were likely obtained through a separate supply chain compromise. The initial login appeared legitimate -- the vendor regularly accessed the network for maintenance tasks.

The attacker connected from a VPS hosted in a data center that was geographically consistent with the vendor's known locations, further reducing suspicion.

Hour 2: Reconnaissance and Credential Harvesting

Once inside the network, the attacker began systematic reconnaissance using built-in Windows tools:

# Active Directory enumeration
net group "Domain Admins" /domain
nltest /dclist:HEALTHCARE-CORP
dsquery computer -limit 0

# Network share discovery
net view \\fileserver01 /all
dir \\fileserver01\shares$ /s

# Service account enumeration
setspn -T HEALTHCARE-CORP -Q */*

The attacker then used Mimikatz (loaded into memory, never written to disk) to extract cached credentials from the initial endpoint:

mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::pth /user:svc_backup /domain:HEALTHCARE-CORP /ntlm:a4f49c406510bdca...

Hour 3: Lateral Movement Begins

With harvested credentials, the attacker began lateral movement to high-value targets:

1. First hop: Used Pass-the-Hash with a service account to authenticate to a database server via WMI
2. Second hop: Leveraged PsExec to execute commands on a file server containing patient data
3. Third hop: Initiated an RDP session to a domain controller using compromised domain admin credentials

Each hop used legitimate Windows tools and valid credentials, producing network traffic indistinguishable from normal administrative activity.

Hour 4: MXDR Detection and Response

At 3:12 AM EST, our MXDR platform's behavioral analytics correlated multiple weak signals into a high-confidence alert. No single event was suspicious on its own, but the pattern was unmistakable.

---

Multi-Layer Detection Approach

Behavioral Analytics

Our behavioral analytics engine tracked the following anomalous patterns:

• Temporal anomaly: The vendor account was being used outside its historical access window (normally 9 AM - 5 PM)
• Authentication velocity: Multiple systems authenticated to within a short time window from a single source
• Privilege escalation pattern: A service account accessed systems it had never accessed before
• Lateral movement graph: The sequence of system-to-system connections formed a pattern consistent with manual exploration

Machine Learning Models

Three ML models contributed to the detection:

1. User and Entity Behavior Analytics (UEBA): Detected the vendor account operating outside its behavioral baseline with a deviation score of 4.7 standard deviations
2. Graph-based anomaly detection: Identified unusual connection patterns between systems that had no historical communication relationship
3. Credential usage model: Flagged the service account being used interactively, which was inconsistent with its programmatic usage history

Threat Hunting Correlation

Our threat hunting team had recently published a hypothesis about APT29 targeting healthcare organizations through vendor access. The MXDR platform automatically correlated the observed TTPs with this hypothesis, increasing the alert priority.

---

Hunting Operation

Phase 1: Scope Assessment

The hunting team's first priority was to determine the full scope of the compromise. They executed targeted queries across the environment:

// Identify all systems accessed by the compromised vendor account
IdentityLogonEvents
| where Timestamp > ago(24h)
| where AccountName == "vendor_maint_01"
| summarize
    LoginCount = count(),
    UniqueTargets = dcount(TargetDeviceName),
    Targets = make_set(TargetDeviceName)
    by AccountName, LogonType
| order by LoginCount desc

// Detect Pass-the-Hash activity
DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Network"
| where IsLocalAdmin == true
| where ActionType == "LogonSuccess"
| summarize
    AttemptCount = count(),
    UniqueDevices = dcount(DeviceName),
    Devices = make_set(DeviceName)
    by AccountName, RemoteIP
| where UniqueDevices > 3
| order by UniqueDevices desc

Phase 2: Credential Compromise Assessment

The team assessed which credentials had been compromised and where they were being used:

// Identify Mimikatz-style credential access
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("LsassAccess", "SensitiveCredentialAccess")
| project Timestamp, DeviceName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, ActionType
| order by Timestamp asc

// Track service account anomalous usage
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountName == "svc_backup"
| summarize
    DailyLogins = count(),
    UniqueTargets = dcount(TargetDeviceName)
    by bin(Timestamp, 1d)
| render timechart

Phase 3: Threat Eradication

With the full scope identified, the team executed a coordinated eradication plan:

1. Simultaneous credential reset: All compromised accounts had passwords rotated within a 2-minute window to prevent the attacker from using any remaining access
2. Endpoint isolation: The three compromised endpoints were isolated from the network
3. Session termination: All active sessions for compromised accounts were terminated across the environment
4. Firewall rules: The attacker's VPN source IP was blocked at the perimeter

---

Advanced Hunting Techniques

Kerberoasting Detection

During the investigation, the team also checked for Kerberoasting activity, a common APT29 technique:

// Detect potential Kerberoasting
IdentityQueryEvents
| where Timestamp > ago(24h)
| where ActionType == "LDAP query"
| where QueryTarget has "servicePrincipalName"
| project Timestamp, AccountName, DeviceName, QueryTarget
| summarize QueryCount = count() by AccountName, DeviceName
| where QueryCount > 10
| order by QueryCount desc

Pass-the-Hash Detection

The team validated the Pass-the-Hash technique using the following detection query:

// Advanced PtH detection
DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Network"
| where Protocol == "NTLM"
| where ActionType == "LogonSuccess"
| join kind=inner (
    DeviceLogonEvents
    | where LogonType == "Interactive"
    | where ActionType == "LogonSuccess"
    | distinct AccountName, DeviceName
) on AccountName
| where DeviceName != DeviceName1
| summarize NTLMHops = count() by AccountName, bin(Timestamp, 1h)
| where NTLMHops > 5

---

Defender Response Procedures

Immediate Response (Hours 0-2)

• Isolated compromised endpoints using Microsoft Defender for Endpoint
• Terminated all active sessions for compromised accounts
• Blocked attacker's source IP at the VPN concentrator and firewall
• Initiated full credential rotation for all affected accounts
• Deployed enhanced monitoring rules for lateral movement indicators

Investigation Phase (Hours 2-12)

• Conducted full forensic analysis of compromised endpoints
• Analyzed memory dumps for evidence of Mimikatz and other tools
• Reviewed all authentication logs for the 72-hour period prior to detection
• Mapped the complete attack path using network flow data
• Assessed data access logs on the file server and database server

Remediation Phase (Hours 12-48)

• Rebuilt compromised endpoints from clean images
• Implemented network segmentation between vendor access zones and critical infrastructure
• Deployed Privileged Access Workstations (PAWs) for administrative tasks
• Enhanced monitoring for all third-party vendor accounts
• Conducted a full review of vendor access policies and permissions

---

Lessons from the Hunt

Why Traditional Detection Failed

• Legitimate tools: Every tool used by the attacker (PowerShell, WMI, PsExec, RDP) is a legitimate Windows administration tool
• Valid credentials: The attacker used real credentials, making authentication events appear normal in isolation
• Low and slow: The attacker moved deliberately, avoiding the rapid-fire activity that triggers simple threshold alerts
• Geographic consistency: The VPN connection originated from a location consistent with the vendor's legitimate access

Why MXDR Succeeded

• Behavioral correlation: By analyzing the relationships between events rather than individual events, the MXDR platform identified the attack pattern
• Historical baselines: UEBA models knew what "normal" looked like for every account and system in the environment
• Graph analytics: The system-to-system connection graph revealed an exploration pattern inconsistent with routine maintenance
• Threat intelligence integration: Recent APT29 intelligence informed detection rules and hunting hypotheses

---

Post-Incident Improvements

Based on this incident, the following security enhancements were implemented:

1. Zero Trust for Vendor Access: All third-party vendors now access the network through a dedicated jump server with session recording and just-in-time access provisioning

2. Enhanced NTLM Monitoring: Additional detection rules were deployed to identify NTLM authentication anomalies, particularly for service accounts

3. Credential Guard Deployment: Windows Credential Guard was enabled on all endpoints to prevent credential extraction from LSASS memory

4. Network Microsegmentation: Critical systems were placed in isolated network segments with explicit allow-list firewall rules

5. Service Account Hardening: All service accounts were migrated to Group Managed Service Accounts (gMSAs) with automatic password rotation

6. Vendor Access Reviews: Quarterly reviews of all third-party vendor access permissions were instituted, with automatic deprovisioning for inactive accounts

Protect your organization from advanced threats. Contact Apsispoint to learn how our MXDR service combines behavioral analytics, machine learning, and expert threat hunting to detect attacks that evade traditional security tools.