Security Operations

Secrets of a security analyst: Investigating an incident

Tips to help you investigate incidents from experienced security analysts.

This article is the second in a series highlighting the secrets of our security operators. In this edition we are going to focus on investigations, starting with our investigation into the Microsoft Exchange vulnerabilities.

If we look back at the last few months a “significant security event” could be any of the many different Microsoft Exchange vulnerabilities and attack techniques that have been exposed by security researchers; for example the ‘Hafnium’ attacks, ProxyLogonProxyShell, ProxyOracle, ProxyToken, etc.  These vulnerabilities all could grant an attacker authenticated or pre-authenticated SYSTEM level access to a Microsoft Exchange Server.  This in turn can leave companies in a difficult position as it is not particularly challenging for an attacker to pivot from SYSTEM level access on the Exchange Server to elevated and persistent control over the entire network.

We, as defenders, know that unfortunately there are a huge number of Microsoft Exchange servers out there that have not been sufficiently patched to cover these vulnerabilities (for those of you playing along at home you should always ensure that all of your servers and business applications are fully patched and up-to-date to avoid these sorts of threats) and therefore the MTR team set out on a mission to validate whether there were any customers that were not only vulnerable, but also in a position where they have potentially been attacked.

Firstly, our team of Sophos Managed Threat Response (MTR) security analysts needed to identify which of our customers warranted further investigation.  This involved identifying which of our customers fitted into a subset of criteria:

  • Running a vulnerable version of Microsoft Exchange
  • Running an unpatched vulnerable version of Microsoft Exchange
  • Port 443 is open to the internet

After narrowing the net down via these criteria to a list of possible targets for an attacker we needed to discover if any of them had been the target of an attack.  The techniques for this vary depending on which particular Exchange vulnerability was being investigated at the time; however, in the case of ProxyShell the trigger here was the existence of an unknown or malicious webshell on the system or a mailbox that had been renamed with a .aspx extension.

The Sophos MTR team collate runbooks for each threat or unique actor that they have come across.  The benefit here is that rather than needing to carry out widespread research at the time of an attack they can leap straight into action. As part of the OODA loop mentioned earlier, they observe the malicious activity undertaken during every investigation and due to this can enhance and evolve these runbooks on every engagement – populating them with salient information such as:

  • TTPs (Tactics, Techniques and Procedures) common or specific to this particular attack or threat actors
  • Relevant IOCs (Indicators of Compromise)
  • Known proof of concepts for exploits tied to open vulnerabilities
  • Useful threat hunting queries when dealing with these sorts of attacks

In the case of ProxyShell the TTPs are shown below mapped to the MITRE ATT&CK Framework:

Tactic Technique ID Technique Name
Reconnaissance T1595.002



  • Active Scanning
  • Gather Victim Org Information
  • Search Open Websites/Domains
Initial Access T1190
  • Exploit Public-Facing Application
Execution T1059.001
  • Command and Scripting Interpreter: PowerShell
Persistance T1136


  • Create Account
  • Valid Accounts
Defense Evasion T1574.001
  • Hijack Execution Flow: DLL Search Order Hijacking
Credential Access T1003


  • OS Credential Dumping
  • Unsecured Credentials
Lateral Movement T1210
  • Exploitation of Remote Services
Impact T1486
  • Data Encrypted for Impact


All this information can be searched for using the Sophos endpoint protection and MTR sensors available to our operators. Using this a full threat hunt can be instigated to track through the evidence trail and history on the machine(s). The Sophos Intercept X endpoint agent stores a wealth of information during its tenure on a machine and this can be used to identify whether anything beyond the creation of the malicious webshell has occurred around the same timeframe or even earlier on in the lifecycle of the breach.  We know from looking at various thought methodologies, such as MITRE ATT&CK and the Cyber Kill Chain, that attackers will leave tracks throughout the chain of events that can be investigated further.

The team can follow this trail to identify whether there are any other tools on the network that an attacker has used and whether there has been any additional compromise or malicious action. They can then action any remediation items either directly via the Sophos endpoint protection or via the customer for anything that requires configuration directly on their estate.

All Sophos MTR customers get 24/7 lead-driven threat hunts with managed detection and response. If we identify a threat, then we will act (within the MTR threat response preference) to contain and neutralise the active attack ensuring the threat actor is kicked out of the network. We also will work tirelessly to restore control and order to the network as soon as possible as we know that for any of our customers, who are in the middle of a potential incident, time is money when you can’t transact business due to an outage or breach.

Alongside this all, in the current climate where attackers are at the top of their game defenders and customers need to ensure that they have the tools, people and resources to protect themselves.  As part of this an incident response strategy is a must; whether that be self-applied or outsourced to a third party incident response provider such as Sophos MTR.

To learn more about the Sophos MTR service visit our website or read our case studies and research. 

Leave a Reply

Your email address will not be published. Required fields are marked *