Does Your CEO Moonlight as a Hacker?

Testing Your SOC's Alertness


While we’re conditioned to scan the periphery for threats, sometimes, the most unexpected activities occur right at the heart of our organizations.

Envision this: your CEO, who typically stays miles away from the nitty-gritty of IT, launching PowerShell or tinkering with an intricate script. It poses the question – would your Security Operations Center (SOC) raise an eyebrow? Let’s unpack this scenario.

Why It Matters
Before we venture further, it’s crucial to understand that this isn’t a discourse doubting the CEO’s intentions or competencies. Rather, it’s a reflective exercise highlighting the importance of behavioral analytics and apt alert settings within a corporate ecosystem.

Leaders, especially the creme-de-la-creme, are often engrossed in strategic thinking and decision-making. IT experiments, such as initiating scripts or meddling with system configurations, are typically not on their to-do list. If these anomalies surface:

Potential Compromise: It might be a red flag that the CEO’s account isn’t in their control.
Insider Threats: While less likely, it could hint towards internal threats or misconduct.

How to Test It:
Create a VIP User Group: Segment the VIP users, ensuring that their activities are closely monitored for aberrations.
Initiate PowerShell: As this is an uncommon activity for VIPs, initiating PowerShell will serve as a test for your SOC’s responsiveness.
Execute Anomalous Activities: Trigger actions which a VIP, given their role and responsibilities, is unlikely to execute. Tailor this based on your organization’s unique profile.
For CyRay Customers: If your organization has specific nuances or additional activities characteristic of your VIPs, let us know. We’ll seamlessly integrate it into the VIP monitoring matrix.

Threats might not always be stereotypical, lurking in the shadows; occasionally, they manifest right under the chandeliers of boardrooms. It underscores the importance of an agile and observant SOC, primed to detect even the slightest deviations from the norm. After all, it’s not a game of suspicion, but one of vigilance. In the cybersecurity theater, it’s preferable to question and validate than to retrospectively lament.

As the age-old adage goes – better safe than regretful.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration