How we looked for hackers in network traffic at the Standoff

Summary of attacks from PT NAD for the entire period of the cyber battle The Standoff
Summary of attacks from PT NAD for the entire period of the cyber battle The Standoff

We continue to cover the work of the SOC team (more about it in our previous article) at the last cyber battle The standoff… Today we will talk about the results of monitoring using the NTA-system PT Network Attack Discovery (PT NAD), developed by Positive Technologies, which detects perimeter and network attacks.

In six days, PT NAD recorded more than 8 million attacks, of which 778 were unique. Most of the attacks detected are the result of the activity of various network scanners and automated vulnerability scanners. In our case, an attack means triggering a detection rule on malicious network traffic.

Internal network penetration

Any attack starts with reconnaissance. Let me remind you: there were 29 attacking teams, and everyone needed to scout the infrastructure. We received a gigantic stream of positives on the outer perimeters of companies.

In 2020, the FF city consisted of a cargo seaport, a gas distribution station, a chemical plant, an oil production facility, power generation facilities, an airport, a business center, and an amusement park. The metropolis had its own street lighting system and a railway with stations, automobile and railway crossings with moving cars and trains.

There were fewer attacks on the internal infrastructure of offices. We recorded about 340,000 attacks, of which 313 were unique. Of course, this sample again included various scans, but they were launched more precisely.

Below I have provided the top 15 tools used by attackers. Statistics collected based on client HTTP headers in network traffic, triggers of our detection rules and public set of Emerging Threats.








Fuzz faster u fool










Nuclei (








Brutus / AET2




Ruby WinRM Client


Burp Suite

Top 15 tools used by attackers

By parsing network protocols down to L7 and storing raw traffic, PT NAD allows security analysts to identify even more threats. For example, the first infrastructure attackers infiltrated was the office of the oil company Nuft. We saw attacks launched from the addresses of the office server segment. When studying the network traffic, it became clear that some of the servers had port 445 open to the external network. The attackers were able to guess the local administrator password on these servers. The screenshot shows a successful session with NTLM authentication under a local administrator on one of the Nuft office servers.

Successful connection from an external network to a server under a local account via SMB
Successful connection from an external network to a server under a local account via SMB

A little later, we saw an attack using OS Credential Dumping: DCSync from this server. To conduct it, you need an account with domain administrator rights. In this case, the attack was carried out under the nuft scanmaste account, which belonged to the defense team and was a member of the Domain Admins group. This meant the domain was compromised.

DCSync attack
DCSync attack

Towards the end of the confrontation, one team of attackers tried to guess the password to the Bank of FF GitLab server using the SSH protocol. With the parsing mechanism of the SSH protocol, we easily tracked this attack attempt.

Password guessing for SSH server
Password guessing for SSH server

As a result, the attackers managed to successfully authenticate to the server.

Successful SSH Interactive Session
Successful SSH Interactive Session

Intelligence of internal infrastructure

On the third day of the confrontation, we discovered a reconnaissance in the domain from the computer of one of the bank’s users. The activity was short-lived, as the defense team reacted quickly and pushed the attackers out of the infrastructure.

Retrieving information about local users on a domain controller
Retrieving information about local users on a domain controller

We have established that the attackers connected to the user’s computer using the RDP protocol through the RDG server. This meant that they had the password for this user. In an attempt to figure out where the attackers got it from, we went to study the network activity prior to the attack. We were able to detect suspicious HTTP connections. Connections were made to the external network by IP address, not hostname. The url was like a mail server web client. The request was made using the POST method, which means that the user was sending something to the server.

Authenticating against a fake web server
Authenticating against a fake web server

We dumped a raw traffic dump with this session and finally made sure that the attackers successfully carried out a phishing attack and forced the user to enter their credentials in a fake webmail.

Disguising the attackers

Some of the attacking teams were creative in their attacks. So, one of the teams registered the domain name standoff356[.]com. This domain name was used to communicate with their controlled server, for example to install a reverse shell. But we still noticed this catch.

Reverse shell to a server masquerading as part of the organizers' infrastructure, part 1
Reverse shell to a server masquerading as part of the organizers’ infrastructure, part 1

Reverse shell to a server disguised as part of the organizers' infrastructure, part 2
Reverse shell to a server disguised as part of the organizers’ infrastructure, part 2

The highlighted fragment shows the activity of the attacker’s reverse shell. The rule signaled to us the presence of suspicious content in the network traffic outgoing from the server from the Nuft office DMZ segment, which is often encountered when using RAW TCP reverse shell.

Promotion and consolidation

A popular attack technique was to deploy their own proxy servers at hijacked nodes in the office infrastructure. Later, hackers used chains of such proxies to access servers in the internal infrastructure. Some teams also showed creativity, but in a very peculiar way: through obscene passwords. In the session below, we see tunneling through the SOCKS5 protocol. The account to connect to the olololo proxy server. Inside, DCERPC traffic was tunneled on behalf of the nuft Administrator user. In the session, commands were executed through the Impacket WMIExec module. We see that the attackers became entrenched in the system by creating a task to launch their proxy server. At the same time, they disguised the task as the WSUS update service.

Remote command execution via WMI
Remote command execution via WMI

We also see that the Exchange server was only intermediate, and the command was executed on node

Destination address in the SOCKS5 tunnel
Destination address in the SOCKS5 tunnel


During phishing attacks, attackers also tried to stand out and come up with non-standard file names. In the screenshot, we see sending a letter with an attachment that was identified in PT Sandbox like a downloader trojan.

Email with a malicious attachment
Email with a malicious attachment


In the article, I tried to make out the most remarkable moments of the past cyber exercises. The further the attackers penetrated the infrastructure, the more difficult it became to distinguish their activity from the legitimate one. Most of the realized risks of data theft at the final stage were carried out using legitimate mechanisms. In addition, real infrastructures often lack 100% coverage by means of protection installed on the nodes. It is much easier to achieve coverage by analyzing network traffic, since it is enough to configure its mirroring from network equipment. When unraveling incidents, PT NAD allowed us to track the actions of the attackers as detailed as possible by storing the metadata of all sessions and raw traffic. In combination with our other products – MaxPatrol SIEM, PT Application Firewall and PT Sandbox – we were able to achieve maximum coverage of the infrastructure of our virtual polygon and throughout all six days we successfully tracked the actions of attackers both on the network and at the nodes.

Author: Alexey Lednev, Deputy Head of the Expert Services and Development Department, Positive Technologies (PT Expert Security Center)

Similar Posts

Leave a Reply