Lumara in Action: When a Pen Tester Showed Up on a Client's Network

Another day, another pen tester caught on a client's network. And that's actually a good thing.

Just last week, our SOC team observed a high-priority Microsoft Defender alert for Active Directory Certificate Services (AD CS) enumeration on a client environment during routine monitoring. On the surface, it looked like reconnaissance in progress. AD CS enumeration is a known attacker technique used to search for certificate misconfigurations that could open the door to privilege escalation, so we treated it seriously from the outset.

What unfolded was a reminder that anomalous behaviour is always worth investigating, regardless of how it turns out.

This is how Lumara works in practice: Lumara Fabric (SIEM) surfaces the signal, and Lumara Operate (SOC) turns it into action. Automated detection and human expertise work in step, with the platform surfacing what needs attention and experienced analysts making sense of what they find.

What the alerts showed

The alerts flagged a device being forced to authenticate via a DFS protocol operation, with multiple failed Kerberos and NTLM authentication requests following shortly after. Our team dug in quickly.

The challenge: the source device had no Windows Event logs or Microsoft Defender agent registered against it. Without that telemetry, we could not establish a baseline of expected behaviour for that endpoint. We were working with limited visibility, piecing things together from network traffic picked up by the firewall and interactions with other devices on the network.

What we found

After correlating the available logs, our analysts identified that the alert times lined up with Tailscale activity on that device. Tailsclae is a legitimate remote access tool, commonly used in IT environments for remote access, but in this case, it was running on an endpoint that was not registered in Entra or Defender. Our Microsoft Defender for Identity sensor picked up the anomalous activity, including multiple RDP connection attempts initiated from the suspect device. Those connection attempts failed, but were a major red flag implying that this was either truly hostile, an undocumented vulnerability scanner, or security testing.

We flagged everything to the client, outlining the suspicious enumeration and the specific unmanaged endpoint involved, and asked if the activity was expected.

The response

The client confirmed there was a penetration tester actively working from that IP to test their network's security posture. They asked us to keep reporting security matters and treat them as potentially malicious, as they wanted to see how their systems would respond under normal operating conditions.

Here is what makes this worth highlighting: when a third party runs a penetration test on a client's environment, they are not just testing the application or network segment they have been scoped to. By default, they are also testing the security team watching over it. In this case, that meant us, and Lumara Fabric caught it.

What this means for detection going forward

This scenario is a strong example of why defence-in-depth matters and why visibility gaps are worth closing before something less benign shows up. Even without direct endpoint coverage, Lumara Fabric surfaced the activity through network traffic and identity-based alerts, and Lumara Operate got it in front of the client quickly.

For business owners, the takeaway is simple: you should expect your security partner to notice unusual behaviour, question it, and loop you in, whether it turns out to be a pen tester or a real threat. That is the baseline.

We are now using the telemetry gathered during this authorised test to develop new, high-fidelity SIEM rules specifically for detecting unauthorised remote access tunnels. The goal is faster, more accurate detection if this kind of activity shows up again under less benign circumstances.

Want to know if your environment has detection gaps? Our SOC and Lumara platform can help you validate your security posture and ensure you have the right visibility across your network and endpoints. Get in touch to learn more.