Lateral Movement (TA0008) Techniques

Introduction

Forensically investigating lateral movement techniques on workstations and server systems is crucial to understanding how an attacker moves within a network after gaining initial access. Lateral movement involves techniques that enable an attacker to access and control remote systems within a network.

Understanding Common Lateral Movement Techniques

• Remote Services: Such as RDP, SSH, VNC.

• Exploitation of Trust: Utilising valid credentials or exploiting trusted relationships between systems.

• Use of File Shares: Accessing network shares to move files or execute code.

• Pass-the-Hash/Pass-the-Ticket: Stealing and reusing authentication tokens.

• Remote Execution Tools: Tools like PsExec or remote scripting like PowerShell Remoting.

Initial Data Collection

• Forensic Imaging: Create exact copies of the hard drives of affected systems using tools like FTK Imager or dd.

• Memory Capture: Capture volatile memory from systems using tools like WinPmem or Magnet RAM Capture.

• Log Collection: Gather security logs, system logs, application logs, and especially Windows Event Logs.

Analysing Remote Access

• Security and System Logs: Review logs for signs of remote access activities, like RDP logins (Event ID 4624 with logon type 10).

• Authentication Logs: Examine logs for abnormal authentication patterns or use of unusual user accounts.

Network Traffic Analysis

• Network Monitoring Tools: Use tools like Wireshark or Tcpdump to analyse network traffic for remote access protocols or unusual internal traffic patterns.

• Flow Data Analysis: Review NetFlow data for evidence of lateral movements.

Investigating Account Usage

• User Account Analysis: Look for evidence of unauthorised use of user accounts, especially privileged ones.

• Pass-the-Hash/Pass-the-Ticket Detection: Analyse memory dumps or security logs for signs of these techniques.

File and Directory Analysis

• File Access and Movement: Check file access logs for indications of files being accessed or moved in a manner consistent with lateral movement.

• Artefact Analysis: Look for artefacts left by remote execution tools or scripts.

Analysing Use of Remote Services

• RDP, SSH, and Other Protocols: Examine logs and settings related to these services for unauthorised access or configuration changes.

• Service Configuration: Review the configuration of services commonly used for lateral movement.

Specialised Forensic Tools Usage

• Forensic Suites: Tools like EnCase, Autopsy, or X-Ways for comprehensive analysis.

• Sysinternals Suite: For in-depth analysis of Windows systems, including tools like Process Explorer and TCPView.

Documentation and Reporting

• Detailed Documentation: Record all findings, processes used and evidence paths.

• Forensic Report: Compile a comprehensive report detailing the lateral movement investigation.

Post-Investigation Actions

• Mitigation and Remediation: Implement necessary measures to contain and eradicate the attacker's presence.

• Recovery: Restore affected systems from clean backups.

• Enhancing Defenses: Update security policies and tools based on the findings.

Key Considerations

• Chain of Custody: Maintain an accurate chain of custody for all forensic evidence.

• Legal Compliance: Ensure that the investigation complies with legal requirements.

• Data Confidentiality: Maintain the confidentiality and integrity of data throughout the investigation.

Lateral movement investigations require a detailed and methodical approach, as attackers often use sophisticated methods to avoid detection. Tailor the investigation to the specifics of the incident and the environment in which you are operating.

Using KQL to Investigate Lateral Movement Activities in an Environment Using Defender/Sentinel

Lateral Movement techniques involve adversaries trying to move through the network to gain access to other systems and sensitive data.

1. T1021.001 - Remote Desktop Protocol (RDP)

Objective: Detect attempts to use RDP to move laterally across systems.

1. Detect RDP Logon Activity

IdentityLogonEvents | where LogonType == "RemoteInteractive" | project Timestamp, AccountName, LogonType, DeviceName, LogonResult

Purpose: Identify logons that use Remote Desktop Protocol.

1. Monitor for Unusual RDP Connections

DeviceNetworkEvents | where RemotePort == 3389 | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Purpose: Detect RDP connections from unusual IP addresses or at odd hours.

1. Identify Multiple RDP Sessions from a Single Account

IdentityLogonEvents | where LogonType == "RemoteInteractive" | summarize RDPCount = count() by AccountName, DeviceName | where RDPCount > 3 | project Timestamp, AccountName, DeviceName, RDPCount

Purpose: Monitor for multiple RDP sessions initiated by the same account in a short time frame.

1. Detect Suspicious RDP Session Initiation

DeviceProcessEvents | where FileName == "mstsc.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Remote Desktop Connection client.

1. Monitor for RDP Session Shadowing

DeviceProcessEvents | where FileName == "shadow.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of shadow sessions, which allow viewing or controlling an active RDP session.

1. Identify Unauthorized RDP Access Attempts

IdentityLogonEvents | where LogonType == "RemoteInteractive" and LogonResult == "Failed" | project Timestamp, AccountName, DeviceName, LogonResult

Purpose: Monitor for failed RDP logon attempts, which may indicate unauthorized access attempts.

2. T1021.002 - SMB/Windows Admin Shares

Objective: Detect attempts to use SMB shares for lateral movement, such as administrative shares or file shares.

1. Detect Access to Admin Shares

DeviceNetworkEvents | where RemotePort == 445 and RemoteIP != "127.0.0.1" and FolderPath has_any ("\\ADMIN$", "\\C$") | project Timestamp, DeviceName, RemoteIP, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to access administrative shares like ADMIN$ or C$.

1. Monitor for Lateral Movement Using PsExec

DeviceProcessEvents | where ProcessCommandLine has "PsExec.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of PsExec, a tool commonly used for lateral movement via SMB.

1. Identify File Transfers Over SMB

DeviceFileEvents | where FolderPath startswith "\\\\" and FileOperation == "Create" | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessAccountName

Purpose: Monitor for files being copied over SMB shares, which may indicate data exfiltration or tool transfer.

1. Detect Attempts to Map Network Drives

DeviceProcessEvents | where ProcessCommandLine has "net use" and ProcessCommandLine has_not ("\\domain") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to map network drives using the net use command.

1. Monitor for Unauthorized Access to Hidden Shares

DeviceNetworkEvents | where RemotePort == 445 and FolderPath has_any ("\\IPC$", "\\print$") | project Timestamp, DeviceName, RemoteIP, FolderPath, InitiatingProcessAccountName

Purpose: Detect attempts to access hidden administrative shares like IPC$.

1. Identify Use of WMI for SMB-Based Lateral Movement

DeviceProcessEvents | where ProcessCommandLine has_any ("wmic", "process call create") and ProcessCommandLine has "\\\\" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for WMI commands used to execute processes remotely over SMB.

3. T1075 - Pass the Hash

Objective: Detect attempts to use stolen NTLM hashes to authenticate to other systems without needing the associated plaintext password.

1. Detect Unusual NTLM Logon Events

IdentityLogonEvents | where AuthenticationPackage == "NTLM" | project Timestamp, AccountName, DeviceName, LogonType, LogonResult

Purpose: Identify NTLM logon events that may indicate pass-the-hash attacks.

1. Monitor for NTLM Authentication Without Interactive Logon

IdentityLogonEvents | where LogonType != "Interactive" and AuthenticationPackage == "NTLM" | project Timestamp, AccountName, DeviceName, LogonType, LogonResult

Purpose: Detect NTLM authentication attempts where no interactive logon occurred, potentially indicating pass-the-hash.

1. Identify High-Frequency NTLM Logons

IdentityLogonEvents | where AuthenticationPackage == "NTLM" | summarize LogonCount = count() by AccountName, DeviceName | where LogonCount > 5 | project Timestamp, AccountName, DeviceName, LogonCount

Purpose: Monitor for multiple NTLM logon attempts in a short time frame.

1. Detect Use of Mimikatz for Pass-the-Hash

DeviceProcessEvents | where ProcessCommandLine has_any ("mimikatz", "sekurlsa::pth") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Mimikatz, a tool commonly used for pass-the-hash attacks.

1. Monitor for Suspicious NTLM Network Traffic

DeviceNetworkEvents | where RemotePort == 445 and Protocol == "TCP" and Direction == "Inbound" | project Timestamp, DeviceName, RemoteIP, RemotePort, Protocol

Purpose: Detect inbound NTLM traffic that could indicate pass-the-hash attempts.

1. Identify NTLM Logons from Non-Domain Systems

IdentityLogonEvents | where AuthenticationPackage == "NTLM" and AccountDomain != "YourDomain" | project Timestamp, AccountName, AccountDomain, DeviceName, LogonResult

Purpose: Monitor for NTLM logons originating from non-domain systems, which may indicate an attack.

4. T1021.004 - SSH

Objective: Detect attempts to use SSH for lateral movement, particularly in environments that use SSH for remote management.

1. Detect SSH Logons

IdentityLogonEvents | where LogonType == "Network" and ProcessCommandLine has "ssh" | project Timestamp, AccountName, DeviceName, LogonType, LogonResult

Purpose: Identify SSH logon events, especially those originating from unusual locations.

1. Monitor for Failed SSH Logon Attempts

IdentityLogonEvents | where LogonType == "Network" and ProcessCommandLine has "ssh" and LogonResult == "Failed" | project Timestamp, AccountName, DeviceName, LogonType, LogonResult

Purpose: Detect failed SSH logon attempts, which may indicate brute force attacks.

1. Identify SSH Connections from Unusual IP Addresses

DeviceNetworkEvents | where RemotePort == 22 | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Purpose: Monitor SSH connections from IP addresses that are not commonly seen.

1. Detect Use of SSH for File Transfer

DeviceProcessEvents | where ProcessCommandLine has_any ("scp", "rsync") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify SSH-based file transfer commands like scp or rsync.

1. Monitor for SSH Key Usage

DeviceProcessEvents | where ProcessCommandLine has "ssh" and ProcessCommandLine has ".pem" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect SSH logons using private key files, which could indicate key theft or unauthorized access.

1. Identify Lateral Movement via SSH in WSL

DeviceProcessEvents | where ProcessCommandLine has "ssh" and FolderPath has "C:\\Users\\" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for SSH lateral movement attempts within Windows Subsystem for Linux (WSL).

5. T1563 - Remote Service Session Hijacking

Objective: Detect attempts to hijack existing remote sessions, such as RDP, VNC, or SSH sessions, to move laterally without establishing a new connection.

1. Detect Suspicious RDP Shadowing Sessions

DeviceProcessEvents | where FileName == "shadow.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify use of the shadow.exe tool for RDP session hijacking.

1. Monitor for VNC Session Hijacking Attempts

DeviceProcessEvents | where FileName has_any ("vncviewer.exe", "winvnc.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect VNC session hijacking attempts using known VNC clients.

1. Identify SSH Session Hijacking Commands

DeviceProcessEvents | where ProcessCommandLine has "ssh" and ProcessCommandLine has_any ("-O control", "-o ProxyCommand") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for SSH commands attempting to hijack existing sessions.

1. Detect Attempts to Reuse Existing RDP Sessions

DeviceProcessEvents | where ProcessCommandLine has "tscon" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to switch or reuse existing RDP sessions using tscon.

1. Monitor for Suspicious Use of rdesktop (Linux)

DeviceProcessEvents | where ProcessCommandLine has "rdesktop" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect attempts to hijack or reconnect to RDP sessions using rdesktop.

1. Identify Attempts to Hijack Remote Desktop Services

DeviceProcessEvents | where ProcessCommandLine has "qwinsta" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of qwinsta to enumerate and hijack remote desktop sessions.

6. T1091 - Replication Through Removable Media

Objective: Detect attempts to spread malware or access credentials by replicating data through removable media.

1. Detect Removable Media Insertion

DeviceEvents | where ActionType == "RemovableMediaInserted" | project Timestamp, DeviceName, RemovableMediaName, InitiatingProcessAccountName

Purpose: Identify when removable media is inserted into the system, which could be used for lateral movement.

1. Monitor for Files Transferred to Removable Media

DeviceFileEvents | where FolderPath startswith "E:\\" | project Timestamp, DeviceName, FileName, FolderPath, FileOperation, InitiatingProcessAccountName

Purpose: Detect files being copied to removable media, potentially as part of data exfiltration or spreading malware.

1. Identify Execution of Files from Removable Media

DeviceProcessEvents | where FolderPath startswith "E:\\" and ProcessCommandLine has ".exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the execution of files from removable media.

1. Detect Suspicious Scripts on Removable Media

DeviceFileEvents | where FolderPath startswith "E:\\" and FileExtension in (".vbs", ".bat", ".ps1") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify potentially malicious scripts on removable media.

1. Monitor for Autorun Configurations on Removable Media

DeviceFileEvents | where FileName == "autorun.inf" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect the presence of autorun.inf files that could automatically execute malicious content.

1. Identify Data Transfer to Unusual Removable Media Devices

DeviceFileEvents | where FolderPath startswith "E:\\" and DeviceName has "Unknown" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for data transfers to unrecognized or unusual removable media devices.

7. T1021.006 - Windows Remote Management (WinRM)

Objective: Detect attempts to use WinRM for lateral movement, particularly in environments where PowerShell Remoting is used for remote management.

1. Detect WinRM Logon Activity

IdentityLogonEvents | where LogonType == "Network" and ProcessCommandLine has "winrm" | project Timestamp, AccountName, DeviceName, LogonType, LogonResult

Purpose: Identify logons that use WinRM for remote management.

1. Monitor for Use of PowerShell Remoting via WinRM

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has "Enter-PSSession" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of PowerShell Remoting, which uses WinRM to execute commands remotely.

1. Identify Unusual WinRM Connections

DeviceNetworkEvents | where RemotePort == 5985 or RemotePort == 5986 | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Purpose: Monitor WinRM connections from unusual IP addresses or during off-hours.

1. Detect Unauthorized WinRM Configurations

DeviceProcessEvents | where ProcessCommandLine has "winrm" and ProcessCommandLine has_any ("set", "config") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify changes to WinRM configurations that could enable lateral movement.

1. Monitor for Use of Invoke-Command via WinRM

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has "Invoke-Command" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of Invoke-Command to execute PowerShell commands remotely via WinRM.

1. Identify Suspicious WinRM Logon Failures

IdentityLogonEvents | where LogonType == "Network" and ProcessCommandLine has "winrm" and LogonResult == "Failed" | project Timestamp, AccountName, DeviceName, LogonResult

Purpose: Monitor for failed WinRM logon attempts, which may indicate unauthorized access attempts.