Section 2.3: Intrusion Analysis: Lateral Movement Tactics

Question 1

Name 2 methods of lateral movement through malware copying and how is it beneficial to adversary.

Answer 1

Remote Desktop Services (RDP, VNC & Teamviewer) and Windows Admin shares. It helps them have tools on the remote system to do the techniques they need to do. Definitely expect RunAs logs on source systems.

Question 2

Registry locations to analyze source RDP artifacts

Answer 2

Mstsc.exe artifact:
[System] Shimcache, BAM/DAM
[NTUSER.DAT] UserAssist, RecentApps
[AmCache]
–To track RDP destinations: NTUSER\Software\Microsoft\Terminal Server Client\Servers (Default.rdp file)

Question 3

Filesystem locations to analyze source RDP lateral movement

Answer 3

Jumplists- \Users\AppData\Roaming\Microsoft\Recent\AutomaticDestinations folder
Prefetch- mstsc.exe
Bitmap- \Users\AppData\Local\Microsoft\Terminal Server Client\Cache folder

Question 4

Name tools to parse the registry and bitmap files

Answer 4

RegRipper for registry, and bmc-tools.py for bitmap.

Question 5

Where can I find Teamviewer in the filesystem?

Answer 5

Under Program Files

Question 6

How can I block RDP?

Answer 6

For domain admin and service accounts, use Active Directory “Deny logon through Remote Desktop Services”. At host level, disable it and place firewall as well to deny inbound connections.

Question 7

Registry and filesystem locations to analyze destination RDP lateral movement

Answer 7

Registry:
Rdpclip.exe & tstheme.exe-
[Shimcache] [Amcache]
Filesystem:
Rdpclip.exe & tstheme.exe-
[Prefetch]

Question 8

What are the Windows share artifacts and give description about them

Answer 8

C$ shares drive volumne, Admin$ shares Windows folder, and IPC$ shares commonly used named pipes

Question 9

What operational log can I identify failed logons with map sharing?

Answer 9

Microsoft-Windows-SmbClient%4Security.evtx. Event ID 31001

Question 10

Registry locations to analyze source map sharing lateral movement

Answer 10

Net.exe & net1.exe:
[Shimcache][BAM/DAM][Amcache]
Look into shellbags- USRCLASS.DAT
Look into MountPoints2- NTUSER\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Question 11

Filesystem locations to analyze for source map sharing lateral movement

Answer 11

Net.exe & net1.exe:
[Prefetch]

Question 12

When looking into where the adversary went by observing MountPoints2, where else can I look to see what folders were accessed?

Answer 12

Shellbags

Question 13

Since mapping is done through the source system, what command is used?

Answer 13

Net use

Question 14

What type of logs are likely to be seen at destination system for map sharing?

Answer 14

SMB, NTLM protocol, and Kerberos protocol logs.

Question 15

Filesystem locations to analyze destination map sharing lateral movement

Answer 15

File creation since malware is copied to the destination system. Look at modified timestamp before creation timestamp since creation is made at the time of copying.

Question 16

What is required to do remote access for map sharing?

Answer 16

Domain admin priviledges or the built-in RID 500 account.

Question 17

Name the execute malware commands methods used by adversaries to laterally move.

Answer 17

PsExec, Remote Management tools, Powershell Remoting, WMIC, vulnerability exploitation, and application deployment software.

Question 18

Registry locations to analyze source PsExec for lateral movement

Answer 18

NTUSER.DAT- Software\SysInternal\PsExec\EulaAccepted
PsExec.exe:
[Shimcache][BAM/DAM][Amcache]

Question 19

Filesystem locations to analyze source PsExec lateral movement

Answer 19

Psexec.exe
[Prefetch][Memory][Download]

Question 20

When looking at the destination system for psexesvc.exe, what alternative logon Type can be found if the user adds “-u” command in the psexec.exe command?

Answer 20

Type 2 instead of 3. It will also create user profile and store tokens (a vulnerability if the tool is being used legitimately).

Question 21

Psexesvc.exe will always start a what on its destination system?

Answer 21

A service. Look for its logs as well to track them.

Question 22

Describe what is going on in this command: psexec.exe \host -accepteula -u -e -d -c c:\temp\evil.exe

Answer 22

Source system ran psexec to host. It accepted eula so expect that on destination registry. “-u” will create user profile and “-e” will omit it (both optional). “-d” doesn’t wait for process termination. “-c” copies whatever file. Make sure to see the file timestamp to see connections to the psexec tool.

Question 23

In the destination system what object in memory analysis can I track the named pipes for psexesvc.exe?

Answer 23

Handles. The pipe will include the psexesvc name but adversaries can change it to whatever they please if they add “-r” to psexec command.

Question 24

Registry locations to analyze destination psexesvc lateral movement.

Answer 24

SYSTEM\CurrentControlSet\Services\PSEXESVC (-r command will change the name)
Psexesvc.exe:
[Shimcache][Amcache]

Question 25

Filesystem locations to analyze for destination psexesvc lateral movement

Answer 25

New user profile created if “-e” wasnt omitted.
Psexesvc.exe:
[Prefetch]
-find binary inside Windows folder thanks to Admin$

Question 26

Name the Windows Remote Management tools that can be used for lateral movement.

Answer 26

Sc (services)
at & schtasks (scheduled tasks)
reg (remote registry)
winrs (execute remote commands)

Question 27

What is going on in this command: sc \host create servicename binpath= “c:\temp\evil.exe”

Answer 27

A service was created at the remote system called evil.exe.

Question 28

What is going on in this command: at \host 13:00 “c:\temp\evil.exe”

Answer 28

A job or task is going to run evil.exe on the remote system at 1:00pm.

Question 29

What is going on in this command: winrs -r:host -u:user [command]

Answer 29

A remote system was logged into by a n available user to run commands. Search for winrshost.exe on remote system.

Question 30

What is going on in this command: reg add \host\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Data /t REG_SZ /d “C:\evil.exe”

Answer 30

A remote registry was added to remote system to run evil.exe as an AutoStart.

Question 31

Windows Remote Services tool source registry and filesystem locations to analyze for lateral movement.

Answer 31

Registry:
sc.exe:
[Shimcache][BAM/DAM][Amcache]
Filesystem:
sc.exe:
[Prefetch]

Question 32

Windows Remote Services tool destination registry and filesystem locations to analyze for lateral movement.

Answer 32

Registry:
\CurrentControlSet\Services\, [Shimcache][Amcache]
Filesystem:
[File Creation][Prefetch]

Question 33

Windows Remote Scheduled Tasks’ source registry and filesystem locations to analyze for lateral movement.

Answer 33

Registry:
at.exe & schtasks.exe
[Shimcache][BAM/DAM][Amcache]
Filesystem:
at.exe & schtasks.exe
[Prefetch]

Question 34

Windows Remote Scheduled Tasks’ destination event, registry, and filesystem locations to analyze for lateral movement.

Answer 34

For event: TaskSchedule%4Operational
Registry:
-Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
-Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\
[Shimcache][Amcache]
Filesystem:
- \Windows\Tasks, \System32\Tasks
at.exe & schtaskts.exe
[Prefetch]

Question 35

Registry and filesystem locations to analyze source WMI lateral movement.

Answer 35

Registry:
wmic.exe:
[BAM/DAM][Shimcache][Amcache]
Filesystem:
wmic.exe
[Prefetch]

Question 36

What command should analyst be on the lookout for when WMI remoting is being used?

Answer 36

“Process call”. It is similar concept to PsExec except it doesnt create a service.

Question 37

What event log can I look to look for WMI activity?

Answer 37

Microsoft-Windows-WMI-Activity%4Operational.evtx
Event Log IDs: 5857, 5860, & 5861

Question 38

Registry locations to analyze destination WMI lateral movement

Answer 38

scrcons.exe, mofcomp.exe, wmiprvse.exe:
[Shimcache][Amcache]

Question 39

Filesystem locations to analyze destination WMI lateral movement

Answer 39

• C:\Windows\System32\wbem\Repository (use Powershell to audit for changes)
  File creation: evil.mof
  scrcons.exe, mofcomp.exe, wmiprvse.exe
  [Prefetch]

Question 40

What source event logs can I look up to find Powershell lateral movement?

Answer 40

WinRM&4Operational.evtx:
Event Log IDs: 6, 8, 15, 16, 33
Powershell%4Operational.evtx:
40691,40692, 8193, 8194, 8197

Question 41

Registry and filesystem locations to analyze source Powershell lateral movement

Answer 41

Registry:
Powershell.exe:
[Shimcache][Amcache][BAM/DAM]
Filesystem:
Powershell.exe:
[Prefetch]
Search for consoleHost_history.txt (records 4100 PS commands that were typed).

Question 42

What event log files can I use in the destination system to track powershell lateral movement.

Answer 42

Powershell&4Operational.evtx
4103, 4104, 53504
Windows Powershell.evtx
400/403, 800
Windows-WinRM&4Operational.evtx
91, 168

Question 43

Registry and filesystem locations to analyze destination Powershell lateral movement.

Answer 43

Registry:
Microsoft\Powershell\1\ShellIds\Microsoft.Powershell\ExecutionPolicy
wsmprovhost.exe
[Shimcache][Amcache]
Filesystem:
wsmprovhost.exe
[Prefetch]

Question 44

Why would adversaries have an objective to target the patch management systems?

Answer 44

They will be able to use application deployment software to distribute patches that can be malware to systems at a mass scale.

Question 45

How can an adversary target the patch management system in a cloud infrastructure?

Answer 45

Instead of it being a patch system, it is a cloud control panel. They can control and distribute anything they want through there, even delete data.

Question 46

How can an analyst monitor patch management/cloud control panel systems?

Answer 46

Accounts for these systems must be heavily monitored, creating unique accounts that aren’t domain can help, and deploying patches on known specific days or times can help identify deployments outside of routine.

Question 47

What are vulnerability exploits?

Answer 47

Applications that have been discovered that have vulnerabilities that can provide adversaries shell access or remote code executions.

Question 48

What are Remote Access Tools (RAT) and why is this malware used for lateral movement?

Answer 48

RAT tools are used by adversaries instead of LOTL tools simply because they offer faster lateral movement if they have discovered a vulnerability in the enterprise that allows them to run. They don’t trigger account logons since creds aren’t dumped.

Question 49

What are some examples of RAT tools

Answer 49

Poison Ivy, PlugX, Gh0stRat, webshells, Metasploit Meterpreter, and Cobalt Strike’s Beacon.

Question 50

What are some effective ways to detect malware-based lateral movement?

Answer 50

Watch for system crashes recorded in event logs. A/V, HIPS, and Exploit Guard can be effective as well. It also helps to monitor new processes in the logs.