.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
From behavioral detection to full credential containment
Partner: Sophos MSP, Managed IT solutions provider, Saskatchewan, CA
Organization: Energy sector, >25 employees, Alberta, CA
Solution: Sophos MDR
Adversary behavior
The threat actor gains initial access by logging into the customer's VPN using a compromised account without MFA. Once inside, the attacker uses multiple tools to dump LSASS memory to harvest full credentials and Kerberos authentication tickets for lateral movement. To maintain stealthy access, the attacker deploys Cloudflare tunnels and uses Windows Remote Desktop Protocol (RDP) to remotely access multiple internal hosts and evade traditional firewall controls.
Threat detection
Sophos MDR detects the high-confidence behavioral alert for LSASS credential access on a domain-joined endpoint. This detection fires based on credential-dumping behavior rather than a known malware signature, allowing Sophos MDR to quickly identify a hands-on-keyboard attacker using legitimate tools. This early behavioral signal prompts immediate analyst review and escalation.
Investigation
Following this single behavioral alert, Sophos MDR analysts quickly determine a broader intrusion is at play. Early analysis shows the attacker aggressively harvesting credentials using a suspicious executable (vol.exe), a memory dump file (mama.mem), and FTK Imager—tools commonly abused to extract high-value credentials from live systems. With this evidence, MDR rapidly expands the scope of investigation and uncovers the same compromised account in use across multiple internal hosts, alongside deployment of cloudflared-windows to establish outbound tunnels and move laterally between them over RDP. By correlating endpoint, identity, and network telemetry, MDR reconstructs the full attack chain and identifies the root cause: a compromised VPN account authenticating from a malicious IP without MFA, providing the clarity needed for appropriate incident response.
Response
Operating in "collaborate" response mode through the customer's MSP partner, Sophos MDR acts with approval to ensure precise, disruption-free containment. MDR aligns the customer and MSP to rapidly isolate affected endpoints, cutting off the attacker's hands-on-keyboard activity. Both suspicious and legitimate tools used for credential harvesting are blocked globally through Sophos Central, and a single estate-wide policy change dismantles the tunnels used for lateral movement. MDR then guides the customer through comprehensive remediation and hardening: re-configuring the VPN, enforcing MFA via Entra ID single sign-on, and completing domain-wide credential resets to invalidate any threat actor-controlled authentication tokens and fully restore trust. With no further malicious activity observed, the incident is swiftly de-escalated and closed, leaving the environment significantly more secure than before.