Advance Persistent Threat – Lateral Movement Detection in Windows Infrastructure – Part I
Techniques to detect Lateral Movement in the Windows Systems
In this article, we will focus on the conventional techniques being used by the threat actors to move laterally across the network and ways to detect those on the windows system.
An adversary hops from system to system they often try to get information such as which user they currently running with, what level of access they have, what services running on the system and what are the other systems around. To achieve this, they often use windows legitimate binaries; these tools may vary attack to attack, but the strategy remains same.
Considering the above strategies for lateral movement, we can say that the following things will occur
- Spawned Processes
- Authentication and Privileged User Accounts
It is also proven that tools will be moved across the network to facilitate recon, privilege escalation, data packaging, and exfiltration.
Spawned Processes:
Process Spawning as per Wikipedia: Spawn in computing refers to a function that loads and executes a new child process. The current process may wait for the child to terminate or may continue to execute concurrent computing. Creating a new subprocess requires enough memory in which both the child process and the current program can execute.
a) Process Execution (.exe)
As we have discussed earlier in this document while moving from machine to machine threat actors gathers intelligence, and they often determine this by using legitimate windows binaries.
Below are some standard programs that an adversary may utilize
- net.exe
- ipconfig.exe
- whoami.exe
- nbtstat.exe
- powershell.exe
- wmic.exe
To utilize these windows programs, threat actors start these programs from another application program that they have exploited and have control over such as Internet Explorer, macro-laden word document. They will typically do this in minutes vs. hours regardless if they are using a script or typing the commands on a command line.
So, the question is how do we detect these activities? Here come the Windows Event Logs to rescue organizations from these advanced persistent threats.
Event ID - 4688: A new process has been created.
Event 4688 documents each program that is executed that the program ran as and the process that started this process. By default, this audit policy for process tracking is disabled in the windows; we must enable it from windows local security policy to make full use of this process tracking audit while detecting lateral movements across the network. The illustration below depicts the local security policy with Audit process tracking enabled.
Event ID - 4688 is being used to capture process information as illustrated in below screenshot
By looking at the event description, we can gather a fair bit of information, below listed are some of the critical fields for Event ID 4688. Read more on the windows events at https://www.ultimatewindowssecurity.com/
Security ID: The SID of the account.
Account Name: The account login name.
New Process ID: A semi-unique number that identifies the process. Process ID (PID) allows you to correlate other events logged during the same process. To determine when the program ended look for a subsequent event 4689 with the same Process ID.
New Process Name: The full path of the executable
Token Elevation Type: This is useful for detecting when users are running under User Account Control consent to running a program with admin authority - look for Type 2.
Creator Process ID: Identifies the processes that started this process. Look for a preceding event 4688 with a New Process ID that matches this Creator Process PID.
Creator Process Name: This is useful field documents the name of the program that started this new process.
Process Command Line: If enabled this field documents the command line arguments (including any passwords) passed into the EXE when the process was started.
Microsoft in its latest Windows systems released additional fields to the Event ID 4688 that is "Creator Process Name" which shows parent process name. This has made the investigator's life easy since earlier to identify the parent process we had to manually co-relate the PIDs in the 4688 event IDs.
With the help of windows event logs and focusing on event ID 4688, we can look at the process information and analyze data tasks below such as
- If the process ran is legitimate and the path of the executable
- If the owner of the process seemed genuine and supposed to execute this process
- Role of the machine on which the process was executed
- If the parent/creator process name is legitimate and supposed to execute child process
- Does the same process spawn these
- If all the spawned process and parent process owned by the same user
We can use it to our advantage and identify the following, that we help detect the threat actor early in the attack lifecycle:
- Net.exe, ipconfig.exe, whoami.exe, nbtstat.exe, pwershell.exe, wmic.exe, Cscript.exe etc.
- Stack x number of processes executing within a time window.
To demonstrate this, I have created a sample excel macro file (you can get it from here) which opens the command prompt and hit the command net.exe users. After running this excel macro below event has been generated by windows security audit. Illustration below
In above illustration we can clearly see that the new process with the name "C:WindowsSystem32cmd.exe" has been created with owner account name "Suresh Khutale," and creator process name is "C:Program FilesMicrosoft OfficerootOffice16EXCEL.EXE".
The new process created in turns call another process that is "C:WindowsSystem32net.exe" which we had used in our command net.exe users. Also, looking at created PID, we can correlate the things
From the above illustrations, it confirmed that with the help of Windows security events we could observe the authenticity of the process spawned, investigate them and track down the activities performed on the system are done by the legitimate user or by the threat actors.
b) Local Accounts and Groups:
Further, in most common lateral movement techniques, threat actor often looks at what are the local groups on the system to enumerate the membership, what all other users are there and which groups they belong to on the system they first compromised. Normal users usually do not look at or try to enumerate that kind of information. As we know every windows system or server has local groups, we can look at those groups and members of the group using computer management illustrated in the below screenshot
As illustrated in the above screenshots, by looking at local groups and user accounts, we can gather lots of information about the group members, kind of privileges they having and what groups are important, that helps the threat actor to move further. Here, we are using computer management (aka- Microsoft Management Console) to see this information, but in a real attack scenario, a threat actor may use scripts, PowerShell commands or window APIs to gather this information.
Windows has released some new events and added some new fields in the latest versions which help in identifying the activities being performed by the threat actor early in the attack lifecycle. Windows normally generates security events if somebody is trying to enumerate local group information, be it with Microsoft management console (MMC) or with command line, PowerShell scripts.
Event ID – 4799: Local group membership enumeration
Microsoft Windows generates event ID 4799 when someone tries to enumerate the local group membership. In below illustration, we will look at the local group members enumerated with MMC and the Event ID is generated for the same.
As you can see in the first screenshot, I had accessed administrators group properties with computer management (MMC) interface. The second screenshot clearly illustrates that security event been generated with ID 4799. As we can observe that in the Subject section "Security ID: DomainSuresh Khutale" that depicts that logged in user "Suresh Khutale" has enumerated the local group membership for group name "Administrators" can be seen in the group section. The process with which this activity performed is captured under process information that is "C:WindowsSystem32mmc.exe", this process/application is nothing but our Microsoft Management Console/ Computer Management.
Event ID – 4798: User's local group membership enumeration
This is the opposite of what we have seen in above scenario; here threat actor would look at the user's local group membership and try to find out what all groups that user is part of. Let's look at below illustration and understand
As we can see in the above illustration when someone tries to access the user's properties such as membership, windows generate security event ID 4798. The second screenshot depicts that logged in user "Suresh Khutale" has enumerated group membership for account name "Administrators" with the use of process mmc.exe.
We can say that these activities or events generated are legitimate since the process used to enumerate local group information is mmc.exe. In a real-world scenario where threat actors use Remote Access Trojan (RAT), which make use of windows utilities or tools to gather this intelligence such as PowerShell scripts. So, if we find any event ID 4798 or 4799 with process name which looks suspicious such as "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" then we need to raise the alert and investigate further.
That is it for this article, in next article we will be looking at the second technique that is analyzing security event logs in windows for Authentication and Privileged User Account Activities to detect lateral movement. We will also be covering the standard tools being used by the threat actors to spread across the targeted network.
Conclusion:
Lateral movement is a critical stage of the sophisticated attack. Detecting lateral movement is difficult but not impossible, it is within reach. An adversary gather intelligence about the network and assets; they make use of the legitimate administrative tools or programs; related activities can be detected via monitoring tools and a robust, in-depth defense strategy. Windows auditing can capture these activities of the threat actor if appropriate policies are in place.
For large organization tracking these events always makes noisy, since the lots of logs being generated and the number of false positives which makes it more difficult. To cope with this challenge organization may use the commercial solutions available and fine-tune the rule set, which would help in detecting the lateral movement early in the attack lifecycle.
In this article, we have discussed ways to identify the common things related to lateral movement with the help of windows event logs. This is in no way a complete list; however, it gives ideas you can utilize to detect lateral movement anomalies.
References:
https://findingbad.blogspot.in/2016/08/hunting-lateral-movement.html
https://attack.mitre.org/wiki/Lateral_Movement
https://cyber-ir.com/2017/06/19/detecting-lateral-movement-through-event-logs/
http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf
https://www.jpcert.or.jp/english/pub/sr/ir_research.html
https://www.smokescreen.io/wp-content/uploads/2016/08/Top-20-Lateral-Movement-Tactics.pdf
https://www.smokescreen.io/lateral-movement-detection/
https://attack.mitre.org/wiki/Lateral_Movement
http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
https://blog.acalvio.com/wannacry-ransomware-analysis-lateral-movement-propagation
11 courses, 8+ hours of training
http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan