Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2)
In June 2017, JPCERT/CC released a report “Detecting Lateral Movement through Tracking Event Logs” on tools and commands that are likely used by attackers in lateral movement, and traces that are left on Windows OS as a result of such tool/command execution. After the release, we received a lot of feedback on the report, and until now we had been working on the revision based on the comments. Today, we are happy to announce that the updated report is released.
Detecting Lateral Movement through Tracking Event Logs (Version 2)
https://www.jpcert.or.jp/english/pub/sr/ir_research.html
Tool Analysis Result Sheet
https://jpcertcc.github.io/ToolAnalysisResultSheet/
Here is a quick summary of the update.
Updated Contents
This report is intended for incident investigation and explains what logs are recorded and what files are created upon execution of tools/commands that are often used in lateral movement. While the previous report mainly focused on investigation on event logs and registry entries, this revision also takes forensic investigation into account, as to what to examine in USN Journal, AppCompatCache and UserAssist. Other updated contents are as listed below:
- Verification using Windows 10
- Verification using Sysmon version 5
- Added evidence to investigate
- USN Journal, AppCompatCache, UserAssist etc.
- Investigation on network communication
- Proxy, firewall etc.
- Added/Replaced attack tools to examine
- Report released in HTML format
Please see Appendix A for the list of 49 tools/commands that are covered in this report.
Report Format
Unlike the previous single PDF document, this updated report consists of two parts: “Report” and “Tool Analysis Results Sheet”. The “Report” provides an overview on how the research was conducted, how this report can be used for actual investigation and things to note upon usage. “Tool Analysis Result Sheet” provides the actual detailed information that is recorded when the 49 tools/commands are executed.
We recommend that you go through the investigation instructions on the “Report”, before stepping into “Tool Analysis Result Sheet”.
Conclusion
As our understanding towards attack methods deepens, adversaries would come up with new attack techniques. We intend to cover such new attack methods in the potential revisions. If you like us to investigate any specific tool or any items on Windows, please let us know. We welcome your feedback at global-cc[at]jpcert.or.jp.
- Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A Examined Commands and Tools
| Attacker's Purpose of Using Tool | Tool |
|---|---|
| Command execution | PsExec |
| wmic | |
| schtasks | |
| wmiexec.vbs | |
| BeginX | |
| WinRM | |
| WinRS | |
| BITS | |
| Password and hash dump | PWDump7 |
| PWDumpX | |
| Quarks PwDump | |
| Mimikatz (Obtain password hash lsadump::sam) |
|
| Mimikatz (Obtain password hash sekurlsa::logonpasswords) |
|
| Mimikatz (Obtain ticket sekurlsa::tickets) |
|
| WCE | |
| gsecdump | |
| lslsass | |
| AceHash | |
| Find-GPOPasswords.ps1 | |
| Get-GPPPassword (PowerSploit) | |
| Invoke-Mimikatz (PowerSploit) | |
| Out-Minidump (PowerSploit) | |
| PowerMemory (RWMC Tool) | |
| WebBrowserPassView | |
| Malicious communication relay | Htran |
| Fake wpad | |
| Remote logon | RDP |
| Pass-the-hash Pass-the-ticket |
WCE (Remote login) |
| Mimikatz (Remote login) | |
| Escalation to SYSTEM privilege | MS14-058 Exploit |
| MS15-078 Exploit | |
| SDB UAC Bypass | |
| Capturing domain administrator rights account |
MS14-068 Exploit |
| Golden Ticket (Mimikatz) | |
| Silver Ticket (Mimikatz) | |
| Adding or deleting local user and group |
net user |
| File sharing | net use |
| Deleting evidence | sdelete |
| timestomp | |
| klist purge | |
| wevtutil | |
| Information collection | ntdsutil |
| vssadmin | |
| csvde | |
| ldifde | |
| dsquery | |
| dcdiag | |
| nltest | |
| nmap |
