After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
5. ✘Techniques that enable an adversary to access and control remote
systems on a network.
https://attack.mitre.org/wiki/Lateral_Movement
Lateral Movement
😸
10. How is it done?
✘Vulnerability Explotation
✘Logon Scripts
✘Abusing application deployment software
✘Removable media
✘Abusing legitimate Windows features
Out of all the incident response engagements that we conducted; 100% of them involved the threat
actor compromising valid credentials during the attack.
https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html
“
”
11. abusing Windows Services
✘Network
TCP/135 & Random - RPC
TCP/445 – SMB & RPC over SMB (svcctl named pipe)
✘Native
sc host create badService binpath= “c:bad.exe” &&
sc host start badService
Invoke-PsExec –CN host –C “bad.exe” –SN badService
✘Other
psexec.exe host –u user –p pass cmd.exe
usemodule lateralmovement/invoke_psexec
use exploit/windows/smb/psexec_psh
psexec.py domain/user@host cmd.exe
smbexec.py domain/user@host cmd.exe
paexec.exe –u user –p pass cmd.exe
29. ✘4776
Who is using NTLM authentication on the domain ?
Anyonw using pentesting tools ? Metasploit, crackmapexec, impacket...
Who is using Local Accounts ?
✘4769 - Kerberos service ticket was requested
Lateral Movement
Anyone running BloodHound ?
30. System Events
✘Security System Extension
7045: Service Installed
7036: Service entered running state
✘Fields
Service Name
Cmdline !
32. Object Access
✘Other Object Access Events
4698: A scheduled task was created
4699: A scheduled task was deleted
✘Fields
Task Name
Cmdline !
Parameters
45. Oriana 1.0
✘Use only Windows event logs as
input: 4624, 7045, 4698, Wmi 2
✘Provide visibility
✘Identify potential LM events
WMI, Services, Tasks
TO DO: WinRM, DCOM
✘Ability to pivot through data points
51. Visibility
✘Detailed views for
Host
User
Service
Task
✘Perform basic calculations
# of unique hosts a user has authenticated to locally
# of unique hosts a user has authenticated to remotely
# of unique users that authenticated to a host locally
# of unique users that authenticated to a host remotely
58. Future Work
✘Ingest other events
4625 Failed Logon
5140 File Share
4688 Process Creation
4648 Explicit Credentials
✘User fields for frequency
analysis and analytics
Source IP/Host
✘LDAP Integration
✘Use Logon Id as a foreign key
✘Ideas ?
@mvelazco