The largest challenge for organizations looking to detect and contain attackers is one of the hardest to overcome: disbelief.

Disbelief that they will be targeted. Disbelief that someone will get past their perimeter. Disbelief that they will use stealth.

Whether it is an expert group like APT1 or, more likely, just someone shelling out $50 to a phishing expert who sells his services on the open market, they will get in someday. Once they are in, most organizations are blind to the stealthy actions that these individuals take until the incident reaches a stage where a breach investigation team gets involved.

This is why you need to look for signs that an attacker is in your network. Metasploit can help your team test how vulnerable your network is to credential-based attacks. The InsightIDR team wants to help you detect an intruder moving through your network like APT1 using Windows Credentials Editor (WCE), Metasploit, or similar tools. InsightIDR detects several behaviors to trigger an alert, but I want to focus on two of them here: testing credentials and administrator impersonation.

Testing Credentials

Once inside your network, intruders look for ways to stay undetected for months or even years. There are a lot of ways to map out the network and expand that foothold, but the process of testing credentials is rarely discussed. You see, if an attacker tries authenticating with the "Administrator" account and a blank password on every Windows box on your network, you won't notice. Even if the phished domain account were tested on every Windows system on the network, you would need to track spikes in per-user authentications, and that could easily get lost in the noise. Neither scenario would cause account lockouts anywhere and you are probably convinced that you are protected against it because Nexpose runs this very test. By identifying this testing of credentials, InsightIDR will help you detect an intruder at this early stage of an attack.

Administrator Impersonation

Every attacker's end goal is the same: to make money. On the way to that goal, one of the most challenging efforts is to obtain the privileges necessary to access data worth monetizing. For this reason, every intruder is going to extract every cleartext password or password hash available on a system as soon as it is compromised in the hope that one set of credentials provides administrator privileges on the network. However, obtaining the hash is not the buzzword worthy action here; the attacker will remotely pass the hash to authenticate to another system as another account. InsightIDR will detect this impersonation and make you aware before the valuable data has been stolen.

If you'd like to see just how common it is for attackers to use credentials on the network to see why you need a detection plan, check out any of the past 3 years' Verizon Data Breach Investigations Reports. To learn more about Rapid7's approach, it is detailed within our toolkit.