Research Report Released: Detecting Lateral Movement through Tracking Event Logs
JPCERT/CC has been seeing a number of APT intrusions where attackers compromise a host with malware then moving laterally inside network in order to steal confidential information. For lateral movement, attackers use tools downloaded on infected hosts and Windows commands.
In incident investigation, traces of tool and command executions are examined through logs. For an effective incident investigation, a reference about logs recorded upon tool and command executions would be useful.
JPCERT/CC conducted a research on typical tools and commands that attackers use after intrusion, and traces that they leave on Windows when executed. The result of the research is available on the report below:
Detecting Lateral Movement through Tracking Event Logs
https://www.jpcert.or.jp/english/pub/sr/ir_research.html
This entry will introduce the overview of the report.
Intended Audience
This report is designed for technical staff including those responsible for initial investigation of incidents. Even without forensic software or knowledge in forensics, readers capable of examining event logs and registry entries can understand the contents.
Tools and Commands
44 typical tools and commands have been featured on the report (as described in Appendix A) based on what JPCERT/CC has seen in multiple incident cases. Since these tools and commands are used by multiple attackers, it is likely that analysts encounter some of them during incident investigation.
Need for Detailed Logs
Under the default configuration of Windows, many of these tools and commands are not logged. In order to investigate what attackers did during the incident, preparation for log retention is necessary. The report describes how to record tools and command executions by setting audit policy and installing Sysmon. Other than the methods explained in the report, it is also possible to collect such logs with audit applications or EDR products.
Way Forward
We are planning to examine other tools and commands as well. In addition to event logs and registry entries, we will also look into forensic artifacts such as MFT and journal files.
We welcome any feedback from you at global-cc [at] jpcert.or.jp.
- Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A: Examined Commands and Tools
| Attacker's Purpose of Using Tool | Tool |
|---|---|
| Command execution | PsExec |
| wmic | |
| PowerShell | |
| wmiexec.vbs | |
| BeginX | |
| winrm | |
| at | |
| winrs | |
| BITS | |
| Obtaining password hash | PWDump7 |
| Quarks PwDump | |
| mimikatz | |
| WCE | |
| gsecdump | |
| lslsass | |
| Find-GPOPasswords.ps1 | |
| Mail PassView | |
| WebBrowserPassView | |
| Remote Desktop PassView | |
| PWDumpX | |
| Malicious communication relay (Packet tunneling) |
Htran |
| Fake wpad | |
| Remote login | RDP |
| Pass-the-hash Pass-the-ticket |
WCE |
| mimikatz | |
| Escalation to SYSTEM privilege | MS14-058 Exploit |
| MS15-078 Exploit | |
| Privilege escalation | SDB UAC Bypass |
| Capturing domain administrator rights account |
MS14-068 Exploit |
| Golden Ticket (mimikatz) | |
| Silver Ticket (mimikatz) | |
| Capturing Active Directory database (Creating a domain administrator user or adding it to an administrator group) |
ntdsutil |
| vssadmin | |
| Adding or deleting a user group | net user |
| File sharing | net use |
| net share | |
| icacls | |
| Deleting evidence | sdelete |
| timestomp | |
| Deleting event log | wevtutil |
| Obtaining account information | csvde |
| ldifde | |
| dsquery |
