As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵

When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…

I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago

Evidence of lateral movement?! In front of my very eyes!!

So I honed in the host machine in question. The aim here was to contextualise the activity, and identify what other facets of the adversarial campaign were visible

But the results were complicated....

@HuskyHacksMK later commented on this with the exact mix of emotions I was feeling.

An executable - nddc.exe - was directly associated with this lateral movement-like activity.

Instead of MORE malicious evidence, the existing 'malicious' evidence was brought into question.

For comparison, I have included what Impacket's WMIExec would look like in the SIEM

My next step was to go the host itself. Initially, I was going to reverse engineer the executable under the assumption it was malicious.

But something felt 'off' about treating it like malware.

It seemed too legit in it's directory placement

Instead, I leveraged global prevalence as @MaxRogers5 would advise.

If a significant number of machines display the same behaviour, this is an informative finding.

And we got back fascinating results: other machines in other domains are also displaying this behaviour, uniformly

Drilling down further on a machine, we can see that this weird NDDC.exe activity also has a ‘beaconing’ pattern, which suggests it is scheduled with precise regularity

Once I've saturated the raw data and it can't tell me any more, I turn to google to fill in the gaps.

My initial searches were just to ascertain what NDDC is.

I find out its Network Detective Data Collector, a Kaseya-related tool.

This by itself doesn't absolve the activity.

Reading the docs justifies why Network Detective (nddc.exe) behaves this way with SMB shares during a network audit.

It doesn't really explain HOW though.

rapidfiretools.com/nd/RapidFire_N…

Others had run malware analysis on nddc.exe, but no one had yet documented this false positive.

Remember I mentioned how I don't turn to Google first?
This isn't to flex.

It's just that I know for obscure and weird shit, Google won't help me as much as the raw data will.

Network Detective's activity was a false positive; similar to Impacket’s lateral movement but not malicious

Lets document and share our novel findings about this false positive.

@mttaggart's WTFBins is an excellent resource we can contribute to: wtfbins.wtf

Contributing was frictionless and the response from @mttaggart and @HuskyHacksMK was great!

And the end result of our investigation was to contribute to an awesome, growing repo of false positive behaviours.

The efforts of our investigation on Network Detective mean the infosec community may not have to go to these lengths next time.

Instead, they can benefit from our findings! 🤝

This is what it's all about: contributing back to the community that we all borrow tools and tips from