SlideShare a Scribd company logo

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

Mauricio Velazco
Mauricio Velazco

Hunting Lateral Movement with Windows Event Logs

Technology
1 of 42
Download to read offline
Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco
$whoami ✘Peruvian ✘Recovering pentester, threat management lead ✘@mvelazco ✘Derbycon, Bsides, Defcon
1. Intro
✘Techniques that enable an adversary to access and control remote systems on a network. https://attack.mitre.org/wiki/Lateral_Movement Lateral Movement 😸
Attackers are forced to move in the environment
How? ✘Vulnerability Exploitation ✘Logon Scripts ✘Abusing application deployment software ✘Removable media ✘…… ✘Abusing Windows services/features Out of all the incident response engagements that we conducted; 100% of them involved the threat actor compromising valid credentials during the attack. https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html “ ”
Windows Services used for LM ✘Server Message Block ( SMB ) ✘Service Control Manager (SCM) ✘Task Scheduler ✘Windows Management Instrumentation ( WMI ) ✘Windows Remote Management ( WinRM ) ✘Distributed Component Object Model ( DCOM ) ✘Remote Desktop
AppleScript Application Deployment Software DCOM Exploitation Logon Scripts Pass the Hash RDP Remote File Copy Remote Services Removable Media SSH Hijacking Shared WebRoot Tainted Shared Content Third party Software Win RM Windows Admin Shares (WMI, SCM, Task Sch) https://attack.mitre.org/wiki/Lateral_ Movement
2. The Events
Authentication Events ✘Account Logon -> Credential validation Occurs on the host that is authorative for the credentials ✘Logon/Logoff -> Creation & Destruction of Sessions Ocurrs on the host being accessed https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
Kerberos
NTLM
4768: Auth Tkt Requested DC Name Account Name Source Ip Keywords Account Logon Events 4769: Service Tkt Requested DC Name Account Name Service Name Client Address Keywords 4776: Credential Validation Computer Name Logon Account Source Workstation Error Code
Hunt Tip #1` ✘ Source Ip requesting TGS for several computers -> Domain Controller Logs Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ] ✘ This behavior could represent An adversary moving laterally ( or helpdesk deploying software) Host enumeration ( file share, PowerUp Sql, etc ) Bloodhound
Hunt Tip #2` ✘ Possible Lateral Movement using NTLM -> Domain Controler Logs Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc
Logon/Logoff Events 4625 Computer Name Account Name Logon Type Src Workstation Name Src Network Address Status Sub Status 4624 Computer Name Account Name Logon Type Src Workstation Name Src Network Address
Hunt Tip #3` ✘ Possible Lateral Movement -> Computer Events Event=4624 Or Event=4625 And (Logon Type=3 Or Logon Type=10) group by (Src Network Address) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally ( or sysadmins working ) Password Spray / Brute Force Attack BloodHound
Services and Tasks ✘System Events 7045: Service Installed ✘Object Access 4698: A scheduled task was created 7045 Service Name Service File Path Service Account 4698 Account Name Task Name Task Content
TODO: WMI & WinRM ✘WMI-Activity/Trace Event 1: Start of the event sequence Event 2: Actual Event Event 3: End of the event sequence ✘Windows Remote Management Analytical Debug Operational 169: User Authentication
Hunt Tip #4: Edr For The Win ✘Services services.exe ✘WMI wmiprsve.exe ✘Windows Remote Management winrshost.exe wsmprovhost.exe ✘DCOM - MMC20 mmc.exe
Hunt Tip #4` ✘Possible Lateral Movement execution -> Sysmon Events Event=1 And (ParentImage=services.exe Or ParentImage... ... ) And (Image=cmd.exe Or Image=powershell.exe OR Image=mshta.exe Or Image=regsvr32.exe … …) 54 application whitelisting bypass techniques https://github.com/api0cradle/UltimateAppLockerByPassList
3. Oriana
Oriana 1.0 ✘Oriana is a threat hunting tool that leverages a subset of Windows events to run analytics and help defenders identify outliers and suspicious behavior in Windows environments. ○ Get-WinEvent & Export-CSV ○ Django Application, Python 2.7 ○ Bootstrap & DataTables
Oriana 1.0 Host 4624 User 7045 Service 4698 Task Wmi Event Cmdline 4625 5140
HunT 1: Services and Tasks ✘7045 & 4698 ✘Frequency Analysis on Unique Services Unique Tasks ✘Identify “Randomness” of Service Name Task Name
Hunt random: N-gram score ✘Reg expressions are based on a sample and lack context P r o d u c t W F P N e t M o n
DEMO 1
HunT 2: Possible Lateral Movement Event 4624 Type 3 4698 7045
HunT 2: Possible Lateral Movement Session ✘Assumption: Once access has been obtained, an attacker will profile or move laterally to more than one host. Group possible lateral movement events based on time ( X hour spans )
DEMO 2
Hunt 3: Outlier Users/Hosts ✘User # of unique successful authentication events # of unique failed authentication events # of unique hosts a user has authenticated to locally # of unique hosts a user has authenticated to remotely # of unique hosts a user has remotely failed to authenticate # of unique hosts a user has RDP to ✘Host # of unique users that authenticated to a host locally # of unique users that authenticated to a host remotely
DEMO 3
Hunt 4: Suspicious User Behavior
Status SubStatus Description 0xC000006D 0xC000006A Wrong password 0xc000015b 0x0 Acess denied 0xC000006D 0xC0000064 User does not exist 0xc000006e 0xc0000072 Account is disabled 4625: Status & SubStatus
SUB #1 : Privilege Enumeration ✘A user is failing to authenticate to a large number of hosts due to insufficient privileges for the requested logon type ✘This behavior could represent An adversary trying to execute remote commands ( failing ) An adversary trying to mount an administrative share An adversary enumerating privileges across the network An adversary running BloodHound (with no admin privs)
SUB #2 : High number of Destinations ✘A user is successfully authenticating to a large number of hosts ✘This behavior could represent An adversary executing code remotely An adversary enumerating privileges across the network An adversary running BloodHound (with admin privs )
SUB #3 : Roaming User ✘A user account is locally authenticating on several hosts ✘This behavior could represent Compromised credentials usage Credential sharing
SUB #4 : Local Account Spray ✘A local user account is trying to authenticating to a large number of hosts. ✘This behavior could represent An adversary moving laterally with a local account An adversary trying to brute force a local account
DEMO 4
Hunt 5: Suspicious Computer Behavior https://github.com/mvelazc0/Oriana
Oriana 1.0 ✘https://github.com/mvelazc0/Oriana Standalone Docker ! ✘https://medium.com/@mvelazco/ ✘@mvelazco
Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
Sylvain Martinez
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 

More Related Content

What's hot

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 

Similar to SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Similar to SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs (20)

Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Sguil
SguilSguil
Sguil
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 

More from Mauricio Velazco

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 

More from Mauricio Velazco (19)

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdf
 
BSides Panama 2022
BSides Panama 2022BSides Panama 2022
BSides Panama 2022
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuro
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de Naciones
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos Windows
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/Linux
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?
 
Bsides Latam 2019
Bsides Latam 2019Bsides Latam 2019
Bsides Latam 2019
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side Attacks
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

  • 1. Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco
  • 2. $whoami ✘Peruvian ✘Recovering pentester, threat management lead ✘@mvelazco ✘Derbycon, Bsides, Defcon
  • 4. ✘Techniques that enable an adversary to access and control remote systems on a network. https://attack.mitre.org/wiki/Lateral_Movement Lateral Movement 😸
  • 5. Attackers are forced to move in the environment
  • 6. How? ✘Vulnerability Exploitation ✘Logon Scripts ✘Abusing application deployment software ✘Removable media ✘…… ✘Abusing Windows services/features Out of all the incident response engagements that we conducted; 100% of them involved the threat actor compromising valid credentials during the attack. https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html “ ”
  • 7. Windows Services used for LM ✘Server Message Block ( SMB ) ✘Service Control Manager (SCM) ✘Task Scheduler ✘Windows Management Instrumentation ( WMI ) ✘Windows Remote Management ( WinRM ) ✘Distributed Component Object Model ( DCOM ) ✘Remote Desktop
  • 8. AppleScript Application Deployment Software DCOM Exploitation Logon Scripts Pass the Hash RDP Remote File Copy Remote Services Removable Media SSH Hijacking Shared WebRoot Tainted Shared Content Third party Software Win RM Windows Admin Shares (WMI, SCM, Task Sch) https://attack.mitre.org/wiki/Lateral_ Movement
  • 10. Authentication Events ✘Account Logon -> Credential validation Occurs on the host that is authorative for the credentials ✘Logon/Logoff -> Creation & Destruction of Sessions Ocurrs on the host being accessed https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
  • 12. NTLM
  • 13. 4768: Auth Tkt Requested DC Name Account Name Source Ip Keywords Account Logon Events 4769: Service Tkt Requested DC Name Account Name Service Name Client Address Keywords 4776: Credential Validation Computer Name Logon Account Source Workstation Error Code
  • 14. Hunt Tip #1` ✘ Source Ip requesting TGS for several computers -> Domain Controller Logs Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ] ✘ This behavior could represent An adversary moving laterally ( or helpdesk deploying software) Host enumeration ( file share, PowerUp Sql, etc ) Bloodhound
  • 15. Hunt Tip #2` ✘ Possible Lateral Movement using NTLM -> Domain Controler Logs Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc
  • 16. Logon/Logoff Events 4625 Computer Name Account Name Logon Type Src Workstation Name Src Network Address Status Sub Status 4624 Computer Name Account Name Logon Type Src Workstation Name Src Network Address
  • 17. Hunt Tip #3` ✘ Possible Lateral Movement -> Computer Events Event=4624 Or Event=4625 And (Logon Type=3 Or Logon Type=10) group by (Src Network Address) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally ( or sysadmins working ) Password Spray / Brute Force Attack BloodHound
  • 18. Services and Tasks ✘System Events 7045: Service Installed ✘Object Access 4698: A scheduled task was created 7045 Service Name Service File Path Service Account 4698 Account Name Task Name Task Content
  • 19. TODO: WMI & WinRM ✘WMI-Activity/Trace Event 1: Start of the event sequence Event 2: Actual Event Event 3: End of the event sequence ✘Windows Remote Management Analytical Debug Operational 169: User Authentication
  • 20. Hunt Tip #4: Edr For The Win ✘Services services.exe ✘WMI wmiprsve.exe ✘Windows Remote Management winrshost.exe wsmprovhost.exe ✘DCOM - MMC20 mmc.exe
  • 21. Hunt Tip #4` ✘Possible Lateral Movement execution -> Sysmon Events Event=1 And (ParentImage=services.exe Or ParentImage... ... ) And (Image=cmd.exe Or Image=powershell.exe OR Image=mshta.exe Or Image=regsvr32.exe … …) 54 application whitelisting bypass techniques https://github.com/api0cradle/UltimateAppLockerByPassList
  • 23. Oriana 1.0 ✘Oriana is a threat hunting tool that leverages a subset of Windows events to run analytics and help defenders identify outliers and suspicious behavior in Windows environments. ○ Get-WinEvent & Export-CSV ○ Django Application, Python 2.7 ○ Bootstrap & DataTables
  • 25. HunT 1: Services and Tasks ✘7045 & 4698 ✘Frequency Analysis on Unique Services Unique Tasks ✘Identify “Randomness” of Service Name Task Name
  • 26. Hunt random: N-gram score ✘Reg expressions are based on a sample and lack context P r o d u c t W F P N e t M o n
  • 28. HunT 2: Possible Lateral Movement Event 4624 Type 3 4698 7045
  • 29. HunT 2: Possible Lateral Movement Session ✘Assumption: Once access has been obtained, an attacker will profile or move laterally to more than one host. Group possible lateral movement events based on time ( X hour spans )
  • 31. Hunt 3: Outlier Users/Hosts ✘User # of unique successful authentication events # of unique failed authentication events # of unique hosts a user has authenticated to locally # of unique hosts a user has authenticated to remotely # of unique hosts a user has remotely failed to authenticate # of unique hosts a user has RDP to ✘Host # of unique users that authenticated to a host locally # of unique users that authenticated to a host remotely
  • 33. Hunt 4: Suspicious User Behavior
  • 34. Status SubStatus Description 0xC000006D 0xC000006A Wrong password 0xc000015b 0x0 Acess denied 0xC000006D 0xC0000064 User does not exist 0xc000006e 0xc0000072 Account is disabled 4625: Status & SubStatus
  • 35. SUB #1 : Privilege Enumeration ✘A user is failing to authenticate to a large number of hosts due to insufficient privileges for the requested logon type ✘This behavior could represent An adversary trying to execute remote commands ( failing ) An adversary trying to mount an administrative share An adversary enumerating privileges across the network An adversary running BloodHound (with no admin privs)
  • 36. SUB #2 : High number of Destinations ✘A user is successfully authenticating to a large number of hosts ✘This behavior could represent An adversary executing code remotely An adversary enumerating privileges across the network An adversary running BloodHound (with admin privs )
  • 37. SUB #3 : Roaming User ✘A user account is locally authenticating on several hosts ✘This behavior could represent Compromised credentials usage Credential sharing
  • 38. SUB #4 : Local Account Spray ✘A local user account is trying to authenticating to a large number of hosts. ✘This behavior could represent An adversary moving laterally with a local account An adversary trying to brute force a local account
  • 40. Hunt 5: Suspicious Computer Behavior https://github.com/mvelazc0/Oriana
  • 42. Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco