Detecting Lateral Movement through tracking Windows Events

A research by Japan Computer Emergency Response Team


With “lateral movement’ we identify the techniques that enable an adversary to access and control remote systems on a network: an attacker can use lateral movement for many purposes, including remote execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.

Obviously, this kind of network activity generates a lot of noise and log entries: so analyzing log we could identify the tipology of technique or tool use in lateral movement activities.

The JPCERT (Japan Computer Emergency Response Team) published a useful paper where a lot of windows tools used in lateral movement are identified using windows logs.


For such use of tools, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information. This report is a summary of the results of this research.


List of tested tools

Command execution

  • PsExec
  • wmic
  • PowerShell
  • wmiexec.vbs

Attacker’s Purpose of Using Tool

  • BeginX
  • winrm
  • at
  • winrs
  • BITS

Obtaining password hash

  • PWDump7
  • PWDumpX
  • Quarks PwDump
  • Mimikatz (Obtaining password hash)
  • Mimikatz (Obtaining ticket)
  • WCE
  • gsecdump
  • lslsass
  • Find-GPOPasswords.ps1
  • Mail PassView
  • WebBrowserPassView
  • Remote Desktop PassView

Malicious communication relay (Packet tunneling)

  • Htran
  • Fake wpad

Remote login

  • RDP

Pass-the-hash/Pass-the-ticket

  • WCE (Remote login)
  • Mimikatz (Remote login)

Escalation to SYSTEM privilege

  • MS14–058 Exploit
  • MS15–078 Exploit

Privilege escalation

  • SDB UAC Bypass

Capturing domain administrator rights account

  • MS14–068 Exploit
  • Golden Ticket (Mimikatz)
  • Silver Ticket (Mimikatz)

Capturing Active Directory database (Creating a domain administrator user or adding it to an administrator group)

  • ntdsutil
  • vssadmin

Adding or deleting a user group

  • net user

File sharing

  • net use
  • net share
  • icacls

Deleting evidence

  • sdelete
  • timestomp

Deleting event log

  • wevtutil

Obtaining account information

  • csvde
  • ldifde
  • dsquery

References

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Comments