Detecting Lateral Movement through tracking Windows Events
A research by Japan Computer Emergency Response Team
With “lateral movement’ we identify the techniques that enable an adversary to access and control remote systems on a network: an attacker can use lateral movement for many purposes, including remote execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.
Obviously, this kind of network activity generates a lot of noise and log entries: so analyzing log we could identify the tipology of technique or tool use in lateral movement activities.
The JPCERT (Japan Computer Emergency Response Team) published a useful paper where a lot of windows tools used in lateral movement are identified using windows logs.
For such use of tools, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information. This report is a summary of the results of this research.
List of tested tools
Attacker’s Purpose of Using Tool
Obtaining password hash
- Quarks PwDump
- Mimikatz (Obtaining password hash)
- Mimikatz (Obtaining ticket)
- Mail PassView
- Remote Desktop PassView
Malicious communication relay (Packet tunneling)
- Fake wpad
- WCE (Remote login)
- Mimikatz (Remote login)
Escalation to SYSTEM privilege
- MS14–058 Exploit
- MS15–078 Exploit
- SDB UAC Bypass
Capturing domain administrator rights account
- MS14–068 Exploit
- Golden Ticket (Mimikatz)
- Silver Ticket (Mimikatz)
Capturing Active Directory database (Creating a domain administrator user or adding it to an administrator group)
Adding or deleting a user group
- net user
- net use
- net share
Deleting event log
Obtaining account information