.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Domain credential abuse remediated in 47 minutes
Partner: Sophos MSP, Technology services provider, Costa Rica, Central America
Organization: Legal industry, 50-200 employees, Costa Rica, Central America
Solution: Sophos MDR
Adversary behavior
The attacker gains initial access through a Cisco VPN lacking multi-factor authentication, most likely using previously compromised credentials. Once inside, they interact with four accounts—two regular users and two admin-level accounts—to elevate their access. From there, they attempt to expand their reach, launching brute-force attacks against internal Domain Controllers and abusing built-in Windows administration features to harvest additional credentials.
Threat detection
Sophos MDR fires a detection immediately upon the domain controller activity, alerting to suspicious attempts to remotely access sensitive credential data. Because this behavior is both highly abnormal and extremely high-risk on a domain controller, the alert is automatically routed to our Priority Queue, where an MDR analyst claims the case within 22 seconds. Our investigation begins while the attacker is still active in the environment.
Investigation
Sophos MDR analysts quickly determine this intrusion is credential-based rather than malware-driven. By correlating VPN authentication data, account activity, and internal telemetry, the team identifies compromised VPN access as the entry point and confirms interaction with four privileged accounts. Investigation then expands across internal systems, uncovering brute-force attempts on two domain controller servers—behavior consistent with large-scale credential theft. Within minutes, the attacker's access paths, affected accounts, and credential-theft attempts are fully mapped.
Response
Operating in Collaborative + Authorize mode, Sophos MDR responds alongside the MSP partner and customer. With verbal approval, compromised administrative accounts are disabled, active attacker sessions are terminated, and malicious VPN-originated IP addresses are blocked. Sophos MDR then guides follow-on remediation: enforcing MFA on the Cisco VPN, upgrading VPN firmware, removing Domain Administrator accounts from VPN access groups, reviewing VPN authentication logs, and extending MDR coverage to previously unmanaged assets. From initial detection to full coordination and containment, the complete response is executed in just 47 minutes—stopping credential theft before the attacker can carry out a more severe attack.