Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spotting Lateral Movement with Endpoint Data

Spotting Lateral Movement with Endpoint Data

Lateral movement is an integral part of adversary movement into and around networks. This functionality is now built into relatively inexpensive and widely available malware in addition to operating systems for system administration. There is some good news: you CAN detect an adversary moving around your network with the proper telemetry and analysis. This session will arm defenders with techniques to detect six commonly used methods to move laterally using endpoint data.

Tony M Lambert

March 28, 2019
Tweet

More Decks by Tony M Lambert

Other Decks in Technology

Transcript

  1. Tony Lambert Evil Finder, Red Canary Yo Detection & analysis

    at Red Canary Recovering sysadmin Loves to teach, hates to grade homework $env:UserName @ForensicITGuy
  2. What’s endpoint data anyways? Lateral Movement Techniques • Windows Admin

    Shares • Windows Remote Management • Remote Desktop Protocol • Pass the Hash • Exploitation of Remote Services • Remote Services Overview
  3. Log Data Strengths Everything has ‘em! So many options! Integrated

    with systems Weaknesses So much data! Easy to misconfigure
  4. Endpoint Detection & Response Strengths Flight recorder for computers Process

    metadata Happy medium Weaknesses Hard to manage Doesn’t get content Mostly for processes only
  5. Live Forensics Tools Strengths Full content Lots of visibility Weaknesses

    Hard to scale Hard to spot ephemeral things Lots of human correlation
  6. Windows Admin Shares • Hidden network shares for admins •

    Copy files & schedule execution • ADMIN$ == %SystemRoot% == C:\Windows \\win10-pc\ADMIN$
  7. Windows Admin Shares - Copy • Logs ◦ 5140 -

    Network Share Accessed ◦ 5145 - Network Share Access Checked ◦ 4624 - Account Logged On (Type 3)
  8. Windows Admin Shares - Service • Logs ◦ 7045 -

    New Service • EDR ◦ parent process == services.exe ◦ path == System32 OR sysWOW64 ◦ Start with Unsigned
  9. Windows Admin Shares - Copy/Service • Live Forensics ◦ New

    files in C:\Windows (NTFS Entry Number) ◦ Services in Registry (HKLM\SYSTEM\CurrentControlSet\Services)
  10. Windows Remote Management • Lets you admin all the systems

    • WinRM configures, can also call WMI • WinRS issues remote commands • WMI does a little of everything • PowerShell Remoting stands on all the previous tools
  11. Windows Remote Mgmt - WinRS • Logs ◦ ID 169

    - User authenticating to WinRM service ◦ ID 4624 - User Logged On (Logon Type 3) • EDR ◦ Receiver parent process == winrshost.exe ◦ Sender process == winrs.exe -r:
  12. Windows Remote Mgmt - WMI • Logs ◦ ID 5857

    - WMI Activity StartedOperational ◦ ID 4624 - User Logged On (Logon Type 3 & 5) • EDR ◦ Receiver parent process == wmiprvse.exe ◦ Sender process == wmic.exe /node:
  13. Windows Remote Mgmt - PSRemoting • Logs ◦ ID 4104

    - Suspicious PS Script Block ◦ ID 4624 - User Logged On (Logon Type 3) • EDR ◦ Receiver parent process == wsmprovhost.exe ◦ Sender process == powershell.exe OR pwsh.exe
  14. Windows Remote Mgmt • Live Forensics ◦ Relies heavily on

    mature logs and process auditing ◦ Process execution artifacts (Prefetch, etc…) ◦ PowerShell transcripts, ConsoleHost_history.txt
  15. Remote Desktop Protocol • Admin with a GUI • Shares

    clipboard, printers, disks, etc… • Often used for a desktop experience
  16. Remote Desktop Protocol • Logs ◦ ID 1149 - Successful

    RDP Remote Connection ◦ ID 4624 - User Logged On (Logon Type 10 or 7) • EDR ◦ Telltale processes == rdpclip.exe ◦ Sender process == mstsc.exe
  17. Remote Desktop Protocol - Activity • EDR ◦ Parent processes

    == explorer.exe, cmd.exe, etc. • Live Forensics ◦ Prefetch parsing ◦ User activity forensics like local logon
  18. RDP Tunnelling • EDR ◦ plink.exe AND cmdline includes 127.0.0.1:3389

    ◦ netsh.exe AND cmdline includes connectp AND 3389 • Live Forensics ◦ HKCU\SYSTEM\CurrentControlSet\Services\PortProxy ◦ Artifacts of plink.exe execution
  19. Pass the Hash • Authentication using NTLM hashes • No

    cleartext password • Mitigate with Win10 Credential Guard • Mitigate with Domain Protected Users group
  20. Pass the Hash • Logs ◦ ID 4672 - Special

    Privileges Logon ◦ ID 4624 - User Logged On (Logon Type 3 or 9) ◦ Not a domain logon ◦ Not the ANONYMOUS LOGON account
  21. Pass the Hash • EDR ◦ Doesn’t know the difference

    • Live Forensics ◦ Grab the local logs ◦ Credential theft tools and material on disk ◦ Otherwise normal user activity
  22. Exploitation of Remote Services • On Windows, primarily Server Message

    Block (SMB) • Exploits like MS17-010 SMB Remote Code Execution ◦ “ETERNALBLUE”
  23. Exploitation of Remote Services • Logs ◦ Depending on exploit,

    sparse logging ◦ Code injection (if you have Sysmon) • EDR ◦ Abnormal parent/child relationships ◦ lsass.exe spawning child processes
  24. Exploitation of Remote Services • Live forensics ◦ Evidence of

    code injection (memory forensics) ◦ Exploit code left on system
  25. Remote Services • On Windows, SMB • On macOS &

    Linux, SSH & VNC • Using services designed for remote connections • Not always associated with remote administration
  26. Exploitation of Remote Services • Logs ◦ Depends on service

    ◦ SSH - /var/log/secure (RHEL) /var/log/auth.log (Debian) • EDR ◦ Child processes of SSHD and VNC daemons ◦ “ssh” commands with suspicious command lines
  27. Exploitation of Remote Services • Live Forensics ◦ Recovering logs

    ◦ Filesystem artifacts correlated with logon ◦ Shell history
  28. Special thanks to: Michael Gough @hackerhurricane Carlos Perez @darkoperator JP-CERT

    @jpcert_en Matt Graeber @mattifestation MITRE ATT&CK @MITREattack SANS DFIR @sansforensics Matthew Dunwood @matthewdunwoody FireEye @fireeye Jonathon Poling @JPoForenso STEALTHbits @STEALTHbits