When I published my last blog post I was reading twitter and saw someone comment on how difficult it is to detect lateral movement. While I agree with this, I think there are many things you can do with regards to hunting to help better find this. Stepping back for a second and looking at the problem we can say that there are many different tools that can be used and many avenues that can be taken to facilitate someone moving through your internal network, but there are also common things that will happen. Figuring out what the common things are will better help you devise a hunting strategy and hopefully make the time you devote to hunting more successful. Looking specifically at lateral movement we can say the following will occur.
- Processes will be spawned
- Authentication will occur
We can also say that it may be probable that tools will be moved across the network to facilitate recon, privilege escalation, lateral movement, data packaging and exfiltration.
Using windows event logs I would like to describe some of the different ways you can take advantage of these common things and begin to look for lateral movement. I also like to focus on servers as this is where you will often see this activity.
When an adversary executes tools that they brought in with them they probably won’t execute these hundreds of times a day across your environment, but as they move from machine to machine they may execute some or all of the tools on the host they just gained access to. This will likely limit the number of times a day you will see these tools executed. Using the windows event logs and focusing on event codes 4688/592, you can stack the output by process and look at rare in a 24 hour period. When analyzing this data ask yourself:
- Are there legitimate file names in odd directory paths?
- Are there file name misspellings of legitimate executables?
- Does the owner of the process seem correct?
- What is the role of the server that the process is executing on?
- Does the process name just look weird for some reason? (don’t discount hunches)
If you identify any suspicious processes can you prove that it’s legitimate or likely legitimate based on the file path, parent/child process or history of execution against a longer period of time?
As an adversary moves from machine to machine they will often want to know things like: who they are, what level of access do they have, what services are running on the machine, what other machines are around them… They will often determine this by using legitimate windows binaries. When determining this information they will typically do this in minutes vs hours regardless if they are using a script or typing the commands on a command line. Knowing this, we can use it to our advantage. Again focusing on windows event logs and focusing on event codes 4688/592 try to identify the following:
- Net.exe, ipconfig.exe, whoami.exe, nbtstat.exe...
- Cluster x number of processes executing within a 10 minute time frame.
For the data the get’s returned:
- identify the parent process and if it’s legitimate?
- What additional processes have executed on the machine within a 1 hour period and do any of those look suspicious? If there are, are they owned by the same user?
- Are these spawned by the same process or process name?
- Are these processes all owned by the same user?
- Is there previous history of this activity?
As an intruder moves tools around your network, or even executes tools from a remote machine, these will often be copied to an administrative share (ADMIN$, IPC$, C$). If Windows Detailed File Share Auditing is enabled we can identify file writes to these shares. Note: This is not recommended for all server roles. Read the documentation before enabling. To view these logs use windows event code 5145 and stack based on file name. When analyzing these logs it may help to identify the following:
- Number and names of files copied from same source.
- User that copied the files and past history.
When attackers are moving through your network they won’t be exploiting some vulnerability in every machine they gain access to and popping a shell, but rather will be using legitimate credentials to login to these machines. We can start looking for malicious logon activity by focusing on windows event id’s 4624 type 3, 4625 type 3 and 4648. Some things to look for when reviewing these logs are:
- Server to server communication.
- Same source to multiple destinations.
- Short session times for successful authentication.
- Failed authentication from same source to multiple destinations with multiple legitimate administrative accounts.
What I’ve described above are a few ways that you can look at windows event logs to try and identify those common things related to lateral movement. This is in no way a complete list, but rather a way to get you thinking about different ideas that you can use to tackle this problem. If you have other techniques that you use to devise a strategy I would love to hear them. By sharing I believe we all get better.