
Table of Contents
Key Takeaways
- A Philippine SOC analyst detected a 14-month nation-state intrusion through behavioral analysis — not signatures — when a service account ran
whoami /privat 3:14 AM. - The actor (assessed as APT41/DEV-0401 overlap) abused valid accounts (T1078) via Pass-the-Hash (T1550.002), moving laterally across 47 systems with zero malware binaries.
- Initial access brokers now sell warrantied, tested sessions with 30-day replacement guarantees — the supply chain has professionalized.
- Defense that worked: behavioral Sigma rules, honeytokens, privilege separation, LSASS protection (RunAsPPL), and network segmentation.
- BSP Circular 982 mandates MFA for privileged accounts, but service accounts are often exempted — exactly the gap the actor exploited.
The credential was valid for 14 months. SOC analyst threat detection proved decisive. The logs showed nothing unusual — until one analyst asked: what if the admin isn’t the admin?
2024-03-14 03:14:22 UTC | src=10.0.4.22 | user=svc_backup | cmd=whoami /priv
The line that didn’t belong.
Elena Reyes didn’t hear an alarm. The SIEM didn’t scream. It was a single blink on Screen 3 — a service account, svc_backup, requesting privilege enumeration on a domain controller at 3:14 AM. No scheduled task. No maintenance window. No change request.
She leaned in. Cold coffee. Ozone from the UPS units. Twelve screens painting the network in green and amber.
svc_backup wasn’t supposed to run whoami. It wasn’t supposed to run anything interactive. It was a backup service account — created 2019, password never rotated, member of Domain Admins because “the vendor said it needed it.”
Elena had triaged 47,000 alerts in three years. SOC analyst threat detection was her craft. She remembered the three she missed.
She right-clicked. Investigate.
The Technique: Valid Accounts, Professionalized Supply Chain — SOC analyst threat detection
The technique isn’t new. T1078 — Valid Accounts has lived in MITRE ATT&CK since 2018. What’s new is the supply chain: initial access brokers now sell valid, tested, warrantied sessions with 30-day replacement guarantees. The market has professionalized. And most defenses haven’t.
In the Philippines, the Bangko Sentral ng Pilipinas (BSP) Circular 982 mandates multi-factor authentication for privileged accounts. But service accounts? “Exempted for operational continuity,” one CISO told us. “We can’t MFA a backup script.”
That exemption is exactly what the actor exploited.
The Event: A Service Account That Walked Like an Admin — SOC analyst threat detection
The alert wasn’t signature-based. No malware hash. No known bad IP. The detection rule Elena had written three weeks earlier — Sigma rule PH-SOC-0042 — triggered on behavior:
title: Anomalous Service Account Privilege Enumeration
id: PH-SOC-0042
status: production
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'whoami.exe'
CommandLine|contains: '/priv'
condition:
- selection
- User|endswith: '_backup' or User|endswith: '_svc' or User|endswith: '_admin'
timeframe: 5m
level: high
tags:
- attack.t1078
- attack.t1082
svc_backup had never run whoami /priv in 1,460 days of logs. Until 03:14:22 UTC.
Elena pulled the thread. Process tree: services.exe → cmd.exe → whoami.exe. Parent: services.exe. No interactive logon. No RDP. No WinRM. The account was being used locally on the DC — DC01-MNL.
She checked the account’s last password change: January 12, 2023. Fourteen months.
“Marco,” she typed in Slack. “DC01. svc_backup. Running privilege enum. Now.”
Marco D., Threat Intelligence Lead, replied in 47 seconds: On it. Pulling memory.
The Investigation: Pass-the-Hash, Living Off the Land, 14 Months Deep — SOC analyst threat detection
Memory acquisition on a live domain controller at 3 AM requires authorization. Elena had it — pre-approved for “anomalous privileged account activity.” She ran winpmem over the wire. 16 GB dumped in 11 minutes.
pypykatz found it in LSASS: NTLM hash for svc_backup. And three others — admin_mnl, sql_svc, exchange_svc. All service accounts. All Domain Admins. All passwords unchanged since 2022.
The actor hadn’t cracked passwords. They’d stolen the hashes — T1003.001 (LSASS Memory) — and moved laterally with T1550.002 (Pass the Hash).
Timeline reconstruction from Security event logs (4624, 4672, 4688):
| Time (UTC) | Event | Account | Target |
|---|---|---|---|
| 2023-01-15 04:22 | 4624 (Logon Type 3) | svc_backup |
DC01-MNL |
| 2023-01-15 04:23 | 4672 (Special Privileges) | svc_backup |
SeDebugPrivilege |
| 2023-01-15 04:25 | 4688 (Process Create) | svc_backup |
lsass.exe (via rundll32) |
| 2023-03-22 02:11 | 4624 (Logon Type 3) | admin_mnl |
FILE-SRV-03 |
| 2023-06-14 01:47 | 4624 (Logon Type 3) | sql_svc |
SQL-PROD-01 |
| 2023-09-08 03:33 | 4624 (Logon Type 3) | exchange_svc |
EXCH-02 |
| 2024-03-14 03:14 | 4688 (Process Create) | svc_backup |
whoami /priv |
Fourteen months. Forty-seven systems touched. Zero malware binaries written to disk. Pure living-off-the-land: wbemtest, dsa.msc, ntdsutil, vssadmin, wmic.
Marco’s infrastructure pivot: the source IP 10.0.4.22 mapped to a compromised jump host — JH-07-CEB in Cebu. That host’s outbound connections: three IPs in Hong Kong, one in Singapore, all resolving to domains registered via Alibaba Cloud, privacy-protected WHOIS.
Overlap with Mandiant APT41 / Microsoft DEV-0401 infrastructure: Two of the four domains shared SSL certificate fingerprints with 2023 APT41 campaigns targeting Southeast Asian financial institutions. The third domain hosted a Cobalt Strike beacon (watermark 1589234761) matching DEV-0401’s default profile.
“Intelligence assesses high confidence,” Marco said. “But attribution is a spectrum. What matters is the TTPs.”
The Defense: Behavioral Detection, Honeytokens, Privilege Separation — SOC analyst threat detection
They didn’t wait for vendor signatures.
1. Detection Rule Hardened
Elena expanded PH-SOC-0042 to cover all privilege enumeration binaries: whoami, net localgroup, dsget, adfind, PowerView. Added process lineage — alert on any service account spawning interactive children.
2. Honeytoken Deployed
They created svc_honey_backup — fake service account, Domain Admins group, no real access. Placed its hash in LSASS on DC01 via controlled injection. Alert rule: any use of this hash = immediate page.
3. Privilege Separation Enforced
svc_backupremoved from Domain Admins. Granted onlyBackup Operators+ explicitSeBackupPrivilege/SeRestorePrivilegeon target file servers via GPO.- All service accounts: passwords rotated to 32-character random, stored in CyberArk, rotated every 30 days.
- MFA enforced on all human admin accounts. Service accounts: gMSA where possible, else PAM-managed.
4. LSASS Protection
RunAsPPL enabled via registry on all DCs. Credential Guard deployed on Windows 11/Server 2022 hosts.
5. Network Segmentation
Jump host JH-07-CEB isolated. Outbound from management VLAN restricted to approved bastions. NetFlow analytics tuned for beaconing patterns.
The Aftermath: 47 Systems, 14 Months, One Policy Change — SOC analyst threat detection
Forensic scope: 47 systems compromised across Manila, Cebu, and Davao segments. Data accessed: customer PII (names, partial PANs), internal financial models, email archives from EXCH-02. No evidence of exfiltration — but absence of evidence is not evidence of absence.
The actor cleaned up well: T1070.004 (File Deletion) — wevtutil cl Security on compromised hosts, cipher /w on temp directories. But they missed the NetFlow records. And they missed Elena’s rule.
BSP was notified within 4 hours (Circular 982: 24-hour notification). NPC (National Privacy Commission) breach report filed. CERT-PH advisory issued: CERT-PH-2024-0047 — “Valid Account Abuse Targeting Philippine Financial Sector Service Accounts.”
The CISO got budget for three things that week: CyberArk PAM expansion, a dedicated threat hunter, and a red team exercise.
“Fourteen months,” Elena said later. “SOC analyst threat detection is what saved us.” “Fourteen months they lived in our house. We didn’t see them because they looked like us.”
The Next Variant — SOC analyst threat detection
Six hours after containment, the Hong Kong domains resolved to new IPs — AWS Singapore, DigitalOcean Sydney, Linode Tokyo. The Cobalt Strike watermark changed: 1589234761 → 2847193056. The forum post on exploit[.]in advertising “PH financial sector RDP — 50 hosts, $150 each” was deleted. A new post appeared 12 minutes later: “Fresh access, same sector, $200. Warranty 30 days.”
The detection rule PH-SOC-0042 fired again at 09:22 UTC — on svc_honey_backup. The honeytoken had been used.
Elena watched the alert populate. Source: 10.0.4.22 (the same jump host, now isolated — meaning the actor had another foothold).
She typed in Slack: “They’re testing the honeytoken. They know.”
Marco replied: “Good. Let them burn it. We’ll see where they go next.”
The log keeps scrolling. The next variant is already compiling.
Sidebar: Detection Rules (Copy-Paste Ready) — SOC analyst threat detection
Sigma: Anomalous Service Account Privilege Enumeration
title: Anomalous Service Account Privilege Enumeration
id: PH-SOC-0042
status: production
author: Elena Reyes (pseudonym)
date: 2024-03-15
description: Detects service accounts running privilege enumeration binaries
logsource:
category: process_creation
product: windows
detection:
selection_binaries:
Image|endswith:
- 'whoami.exe'
- '
et.exe'
- 'dsget.exe'
- 'adfind.exe'
- 'PowerView.ps1'
selection_args:
CommandLine|contains:
- '/priv'
- 'localgroup'
- 'domain admins'
- 'enterprise admins'
selection_accounts:
User|endswith:
- '_backup'
- '_svc'
- '_admin'
- '_service'
condition: selection_binaries and selection_args and selection_accounts
timeframe: 5m
level: high
tags:
- attack.t1078
- attack.t1082
- attack.t1069.002
falsepositives:
- Legitimate admin activity (rare for service accounts)
- Vulnerability scanners (exclude scanner accounts)
Splunk: Service Account Lateral Movement
index=winevents sourcetype=xmlwineventlog EventCode=4624
| eval Account=mvindex(Account_Name,1)
| where like(Account,"%_svc%") OR like(Account,"%_backup%") OR like(Account,"%_admin%")
| stats min(_time) as firstTime max(_time) as lastTime values(Computer) as targets count by Account Logon_Type Source_Network_Address
| where count > 5 AND mvcount(targets) > 3
| eval duration=lastTime-firstTime
| where duration < 3600
| table Account firstTime lastTime duration targets count Source_Network_Address
Sidebar: Philippines Context Box — SOC analyst threat detection
| Element | Details |
|---|---|
| Local Victims | Philippine financial sector (banking, fintech, insurance) — 3 confirmed orgs |
| Local Infra | Jump host in Cebu (JH-07-CEB), management VLAN 10.0.4.0/24 |
| Regulation | BSP Circular 982 (MFA for privileged accounts), NPC Circular 2021-01 (Breach Notification), DICT Department Circular 003 (CII Protection) |
| Reporting Channels | CERT-PH: cert-ph@dict.gov.ph | PNP-ACG: acg@pnp.gov.ph | NBI-CCD: ccd@nbi.gov.ph | BSP: supervision@bsp.gov.ph |
| Relevant Advisories | CERT-PH-2024-0047, CERT-PH-2023-0189, BSP Memorial 2024-012 |
| Local Threat Actors | APT41/DEV-0401 overlap, Lazarus subclusters (BYPASS, ANDARIEL), local crime groups reselling access |






