BACK TO ARTICLES

Breaking the Illusion: Why SOC & SIEM Alone Won’t Save You

Breaking the Illusion: Why SOC & SIEM Alone Won’t Save You

Executive Summary: Why Layered Security Matters

Security Operations Centers (SOCs) and Security Information and Event Management (SIEM) solutions are often considered the ultimate defense against cyber threats. However, our latest Red Team assessment proved otherwise: SOC and SIEM alone are not enough. Without a layered security approach, these systems provide a false sense of security.

A strong security posture starts with securing your internal infrastructure and Active Directory (AD) first, implementing multiple layers of defense, and then using a SOC and SIEM as oversight mechanisms. But even then, continuous Red Team assessments are crucial to evaluate detection effectiveness, rule tuning, and human response capabilities.

 

 

Technical Overview: How We Bypassed a SOC-Backed Defense

 

Initial Access – Planting a Rogue Access Point

 

During our engagement, we simulated an external visitor entering the company’s lobby. While waiting, we discreetly plugged in a rogue access point into a publicly accessible Ethernet wall outlet.

  • Employees unknowingly connected to the rogue network, exposing unencrypted DNS requests and NTLMv2 authentication attempts over SMBv2.

  • Captured NTLMv2 hashes were then cracked offline, revealing an employee password. Since offline cracking occurs on the attacker's premises, there is absolutely no chance for the SOC or SIEM to detect or log this activity, making it a completely covert step in the attack chain.

  • Why This Worked: The company did not have Network Access Control (NAC) enforced on visitor-accessible network ports, and some switch ports had been inadvertently left active by sysadmins, allowing unrestricted network access.

 

 

VPN Access & AD Enumeration via Living-Off-the-Land (LOTL)

 

With valid credentials in hand, we:

  • Connected to the corporate VPN using legitimate authentication mechanisms, as the VPN was tied to LDAP authentication, allowing domain credentials to be reused.

  • Used native Windows commands (net, nltest, dsquery, PowerShell) to enumerate Active Directory assets without triggering SIEM alerts.

  • Located a service account with elevated privileges used by IT for automation tasks.

 

 

Privilege Escalation – Abusing Weak GPP-Stored Credentials

 

  • The service account had a Group Policy Preference (GPP) password stored using legacy reversible encryption.

  • We retrieved and decrypted the password, granting us full control over a critical backup and credential vault server.

 

 

DCSync Attack – Stealing NTLM Hashes for Persistence

 

With control over a privileged service account, we executed a DCSync attack:

  1. Pulled NTLM hashes for all Active Directory users, including the KRBTGT hash, allowing us to craft Golden Tickets.

  2. Customized & obfuscated our tools to avoid standard detection:

    • Instead of running flagged tools like Mimikatz, we made direct API calls to extract credentials.

    • This bypassed signature-based SIEM detection as no known attack tools were executed. Additionally, by using evasion mechanisms and functions not flagged by Endpoint Detection & Response (EDR) systems, we were able to bypass the deployed EDR, ensuring no alerts were triggered during our attack.

 

 

Covering Tracks & Maintaining Persistence

 

To ensure long-term access and cover some of our tracks, we:

  • Created a new domain admin account for persistent access.

  • Extracted high-value data from finance and credential vaults.

  • Tampered with specific event logs instead of fully wiping them, ensuring our actions blended in with legitimate administrative activity.

  • Ensured timestamps matched normal AD replication, making the DCSync attack appear as a routine IT backup process.

 

 

Why the SOC Never Caught It

 

Signature-based detections don’t flag PowerShell recon – Our use of native Windows commands blended into normal admin behavior.

✔ Behavior-based analytics failed – The IT account accessing AD appeared routine.

✔ Slow, methodical attack execution – No spikes in traffic or brute-force indicators were generated.

✔ Custom tradecraft – No direct use of Mimikatz or other well-known attack tools meant no alerts triggered.

 

 

Key Takeaways: How to Actually Secure Your Environment

 

Layered security first – Secure internal infrastructure & AD before deploying a SOC & SIEM.

✔ Continuous Red Team testing – Annual or biannual Red Team assessments ensure human analysts and rule sets remain effective.

✔ Stronger credential hygiene – Remove weak GPP passwords and enforce tiered account privileges.

✔ Enhanced anomaly detection – SIEMs must be configured to flag unusual AD replication patterns and service account usage.

 

 

Let’s Strengthen Your Security

 

Think your SOC is impenetrable? Let us prove otherwise. Let’s talk.