Detecting Lateral Movement through tracking Windows Events
A research by Japan Computer Emergency Response Team
With “lateral movement’ we identify the techniques that enable an adversary to access and control remote systems on a network: an attacker can use lateral movement for many purposes, including remote execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.
Obviously, this kind of network activity generates a lot of noise and log entries: so analyzing log we could identify the tipology of technique or tool use in lateral movement activities.
The JPCERT (Japan Computer Emergency Response Team) published a useful paper where a lot of windows tools used in lateral movement are identified using windows logs.
For such use of tools, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information. This report is a summary of the results of this research.
List of tested tools
Command execution
- PsExec
- wmic
- PowerShell
- wmiexec.vbs
Attacker’s Purpose of Using Tool
- BeginX
- winrm
- at
- winrs
- BITS
Obtaining password hash
- PWDump7
- PWDumpX
- Quarks PwDump
- Mimikatz (Obtaining password hash)
- Mimikatz (Obtaining ticket)
- WCE
- gsecdump
- lslsass
- Find-GPOPasswords.ps1
- Mail PassView
- WebBrowserPassView
- Remote Desktop PassView
Malicious communication relay (Packet tunneling)
- Htran
- Fake wpad
Remote login
- RDP
Pass-the-hash/Pass-the-ticket
- WCE (Remote login)
- Mimikatz (Remote login)
Escalation to SYSTEM privilege
- MS14–058 Exploit
- MS15–078 Exploit
Privilege escalation
- SDB UAC Bypass
Capturing domain administrator rights account
- MS14–068 Exploit
- Golden Ticket (Mimikatz)
- Silver Ticket (Mimikatz)
Capturing Active Directory database (Creating a domain administrator user or adding it to an administrator group)
- ntdsutil
- vssadmin
Adding or deleting a user group
- net user
File sharing
- net use
- net share
- icacls
Deleting evidence
- sdelete
- timestomp
Deleting event log
- wevtutil
Obtaining account information
- csvde
- ldifde
- dsquery
References
[embed]https://www.jpcert.or.jp/english/pub/sr/ir_research.html[/embed]
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf