Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2)
In June 2017, JPCERT/CC released a report “Detecting Lateral Movement through Tracking Event Logs” on tools and commands that are likely used by attackers in lateral movement, and traces that are left on Windows OS as a result of such tool/command execution. After the release, we received a lot of feedback on the report, and until now we had been working on the revision based on the comments. Today, we are happy to announce that the updated report is released.
Detecting Lateral Movement through Tracking Event Logs (Version 2)
Tool Analysis Result Sheet
Here is a quick summary of the update.
This report is intended for incident investigation and explains what logs are recorded and what files are created upon execution of tools/commands that are often used in lateral movement. While the previous report mainly focused on investigation on event logs and registry entries, this revision also takes forensic investigation into account, as to what to examine in USN Journal, AppCompatCache and UserAssist. Other updated contents are as listed below:
- Verification using Windows 10
- Verification using Sysmon version 5
- Added evidence to investigate
- USN Journal, AppCompatCache, UserAssist etc.
- Investigation on network communication
- Proxy, firewall etc.
- Added/Replaced attack tools to examine
- Report released in HTML format
Please see Appendix A for the list of 49 tools/commands that are covered in this report.
Unlike the previous single PDF document, this updated report consists of two parts: “Report” and “Tool Analysis Results Sheet”. The “Report” provides an overview on how the research was conducted, how this report can be used for actual investigation and things to note upon usage. “Tool Analysis Result Sheet” provides the actual detailed information that is recorded when the 49 tools/commands are executed.
We recommend that you go through the investigation instructions on the “Report”, before stepping into “Tool Analysis Result Sheet”.
As our understanding towards attack methods deepens, adversaries would come up with new attack techniques. We intend to cover such new attack methods in the potential revisions. If you like us to investigate any specific tool or any items on Windows, please let us know. We welcome your feedback at global-cc[at]jpcert.or.jp.
- Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A Examined Commands and Tools
|Attacker's Purpose of Using Tool
|Password and hash dump
(Obtain password hash lsadump::sam)
(Obtain password hash sekurlsa::logonpasswords)
(Obtain ticket sekurlsa::tickets)
|PowerMemory (RWMC Tool)
|Malicious communication relay
|WCE (Remote login)
|Mimikatz (Remote login)
|Escalation to SYSTEM privilege
|SDB UAC Bypass
administrator rights account
|Golden Ticket (Mimikatz)
|Silver Ticket (Mimikatz)
|Adding or deleting
local user and group