Thursday, May 28, 2015

Detecting Lateral Movement

Almost two years ago, I posted this article that addressed how to track lateral movement within an infrastructure.  At the time, I'd been using this information successfully during engagements, and I still use it today.

This morning, I saw this video from Rapid7, and I thought that Mike did a great job with the presentation.  Mike made some very good points during his presentation.  For example, "SMB" is native to a Windows infrastructure, and with the right credentials, an adversary can go just about anywhere they please.

There were some things missing in the presentation, some caveats that need to be mentioned; I do understand that they were likely left out for the sake of time.  However, they are important.  For example:

Security-Auditing/4698 events - Scheduled Task creation; under Advanced Security Audit Policy settings, for Object Access, you need to have Audit Other Object Access Events enabled for this event to appear in your Windows Event Logs.

Security-Auditing/4697 events - Service installation; similar to the previous events, systems are not configured to audit for system creation via the Security Event Log by default.

So, the take-away here is that in order for these (and other) events to be useful, what admins need to do is properly configure auditing on systems, as well as employ a SEIM with some sort of filtering capability.  Increasing auditing alone will not be useful...I've seen that time and time again when an incident is identified; auditing is ramped up suddenly, and the Security Event Logs start filling up and rolling over in a matter of a few hours, causing valuable information to be lost.  The best thing to do is to enable auditing that makes sense within your infrastructure ahead of time, employing the appropriate settings (what to audit, increasing the default size of the Windows Event Log files, etc.) before an incident occurs.

Also, consider the use of MS's Sysmon, sending the collected data to a SEIM (Splunk??).  Monitoring process creation (including the command line) is extremely valuable, and not just in incident response.  For IR, having the process creation information available (along with a means to monitor it in a timely manner) reduces IR engagements from days or weeks to hours or even minutes.  If setting up Sysmon, Splunk, and filters is too daunting a task, consider employing something like Carbon Black.

Thanks to Rapid7 for sharing the video...it's some great information.

Resources
Description of Security Events in Windows 7/Windows Server 2008 R2



5 comments:

Anonymous said...

My organization pumps Sysmon logs into Splunk. It's awesome and very easy to create alerts to triage. You just need good analysts that know "bad" from "good".

Anonymous said...

Hi guys,

About the video , you can use the system event id 7035 to detect the execution of PSEXECSVC because it was enabled by default.

H. Carvey said...

Exactly. I'd also look for "Service Control Manager/7045" records, indicating the installation of the service.

Also, keep in mind that using just the event ID can be misleading. For example, Google for "event ID 4001", and you'll see multiple events, all with different sources.

Teck0 said...

You will find below a good presentation about the lateral movement on windows :

https://www.first.org/resources/papers/conference2014/a-forensic-analysis-of-apt-lateral-movement-in-windows-environment.pptx

H. Carvey said...

Teck0,

Thanks for the link...the presentation provides a good deal of very useful information, but at the same time, misses a lot of the more common stuff.

Also, something that I noticed is that there are descriptions of several non-default event records to look for in the Windows Event Log. This is good, for completeness.

All in all, I would've spent less time showing things in EnCase and more in a timeline. Otherwise, it's a good presentation. Thanks.