Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spotting Lateral Movement - BSides Augusta 2019

Spotting Lateral Movement - BSides Augusta 2019

Lateral movement is an integral part of adversary movement into and around networks. This functionality is now built into relatively inexpensive and widely available malware in addition to operating systems for system administration. There is some good news: you CAN detect an adversary moving around your network with the proper telemetry and analysis. This session will arm defenders with techniques to detect six commonly used methods to move laterally using endpoint data.

Tony M Lambert

October 05, 2019
Tweet

More Decks by Tony M Lambert

Other Decks in Technology

Transcript

  1. ▪ Find & detect adversaries using data ▪ Recovering system

    administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel RED CANARY @ForensicITGuy $env:UserName
  2. > > > > > > > > > >

    > > > > > > > > > > > > > > > > > > > >
  3. What’s endpoint data anyways? Lateral Movement Techniques ▪ Windows Admin

    Shares ▪ Windows Remote Management ▪ Remote Desktop Protocol ▪ Pass the Hash ▪ Exploitation of Remote Services ▪ Remote Services Overview
  4. ▪ Hidden network shares for admins ▪ Copy files &

    schedule execution ▪ ADMIN$ == %SystemRoot% == C:\Windows \\win10-pc\ADMIN$ Windows Admin Shares
  5. Windows Admin Shares - Copy ▪ Logs ◦ 5140 -

    Network Share Accessed ◦ 5145 - Network Share Access Checked ◦ 4624 - Account Logged On (Type 3)
  6. Windows Admin Shares - Service ▪ Logs ◦ 7045 -

    New Service ▪ EDR ◦ parent process == services.exe ◦ path == System32 OR sysWOW64
  7. Windows Admin Shares - Both ▪ Live Forensics ◦ New

    files in C:\Windows (NTFS Entry Number) ◦ Services in Registry (HKLM\SYSTEM\CurrentControlSet\Services)
  8. Bonus! PsExec Clones ▪ Named Pipes (Sysmon Event ID 17)

    ◦ PsExec - \\.\pipe\psexesvc ◦ RemCom - \\.\pipe\remcom_comunication ◦ PaExec - *PAExec* ◦ CSExec - \\.\pipe\csexecsvc
  9. Windows Remote Management ▪ Admin all the systems! ▪ WinRM

    configures, can also call WMI ▪ WinRS issues remote commands ▪ WMI does a little of everything ▪ PowerShell Remoting builds on previous tools
  10. WinRS ▪ Logs ◦ ID 169 - User authenticating to

    WinRM service ◦ ID 4624 - User Logged On (Logon Type 3) ▪ EDR ◦ Receiver parent process == winrshost.exe ◦ Sender process == winrs.exe -r:
  11. Windows Mgmt Instrumentation ▪ Logs ◦ ID 5857 - WMI

    Activity StartedOperational ◦ ID 4624 - User Logged On (Logon Type 3 & 5) ▪ EDR ◦ Receiver parent process == wmiprvse.exe ◦ Sender process == wmic.exe /node:
  12. PowerShell Remoting ▪ Logs ◦ ID 4104 - Suspicious PS

    Script Block ◦ ID 4624 - User Logged On (Logon Type 3) ▪ EDR ◦ Receiver parent process == wsmprovhost.exe ◦ Sender process == powershell.exe OR pwsh.exe
  13. Windows Remote Management ▪ Live Forensics ◦ Relies heavily on

    mature logs and process auditing ◦ Process execution artifacts (Prefetch, etc…) ◦ PowerShell transcripts, ConsoleHost_history.txt
  14. Remote Desktop Management ▪ Admin with a GUI ▪ Shares

    clipboard, printers, disks, etc… ▪ Often used for a desktop experience
  15. Remote Desktop Management ▪ Logs ◦ ID 1149 - Successful

    RDP Remote Connection ◦ ID 4624 - User Logged On (Logon Type 10 or 7) ▪ EDR ◦ Telltale processes == rdpclip.exe ◦ Sender process == mstsc.exe
  16. Remote Desktop Mgmt - Activity ▪ EDR ◦ Parent processes

    == explorer.exe, cmd.exe, etc. ▪ Live Forensics ◦ Prefetch parsing ◦ User activity forensics like local logon
  17. Remote Desktop Mgmt - Tunnelling ▪ EDR ◦ plink.exe AND

    cmdline includes 127.0.0.1:3389 ◦ netsh.exe AND cmdline includes connectp AND 3389 ▪ Live Forensics ◦ HKCU\SYSTEM\CurrentControlSet\Services\PortProxy ◦ Artifacts of plink.exe execution
  18. Pass the Hash ▪ Authentication using NTLM hashes ▪ No

    cleartext password ▪ Mitigate with Win10 Credential Guard ▪ Mitigate with Domain Protected Users group
  19. Pass the Hash ▪ Logs ◦ ID 4672 - Special

    Privileges Logon ◦ ID 4624 - User Logged On (Logon Type 3 or 9) ◦ ID 10 - Sysmon (ProcessAccess lsass.exe) ◦ Not a domain logon ◦ Not the ANONYMOUS LOGON account
  20. Pass the Hash ▪ EDR ◦ Doesn’t know the difference

    ▪ Live Forensics ◦ Grab the local logs ◦ Credential theft tools and material on disk
  21. Exploitation of Remote Services ▪ On Windows, primarily Server Message

    Block (SMB) ▪ “ETERNALBLUE” or maybe “BLUEKEEP” in the future
  22. Exploitation of Remote Services ▪ Logs ◦ Depending on exploit,

    sparse logging ◦ Code injection (if you have Sysmon) ▪ EDR ◦ Abnormal parent/child relationships ◦ lsass.exe, spoolsv.exe spawning child processes
  23. Exploitation of Remote Services ▪ Live forensics ◦ Evidence of

    code injection (memory forensics) ◦ Exploit code left on system
  24. Remote Services ▪ On Windows, SMB ▪ On macOS &

    Linux, SSH & VNC ▪ Using services designed for remote connections ▪ Not always associated with remote administration
  25. Remote Services ▪ Logs ◦ Depends on service ◦ SSH

    - /var/log/secure (RHEL) /var/log/auth.log (Debian) ▪ EDR ◦ Child processes of SSHD and VNC daemons ◦ “ssh” commands with suspicious command lines
  26. Remote Services ▪ Live Forensics ◦ Recovering logs ◦ Filesystem

    artifacts correlated with logon ◦ Shell history
  27. FEEDBACK Q & A Special thanks to: Michael Gough @hackerhurricane

    Carlos Perez @darkoperator JP-CERT @jpcert_en Matt Graeber @mattifestation MITRE ATT&CK @MITREattack SANS DFIR @sansforensics Matthew Dunwood @matthewdunwoody FireEye @fireeye Jonathon Poling @JPoForenso STEALTHbits @STEALTHbits