Section 2.3: Intrusion Analysis: Lateral Movement Tactics Flashcards
Name 2 methods of lateral movement through malware copying and how is it beneficial to adversary.
Remote Desktop Services (RDP, VNC & Teamviewer) and Windows Admin shares. It helps them have tools on the remote system to do the techniques they need to do. Definitely expect RunAs logs on source systems.
Registry locations to analyze source RDP artifacts
Mstsc.exe artifact:
[System] Shimcache, BAM/DAM
[NTUSER.DAT] UserAssist, RecentApps
[AmCache]
–To track RDP destinations: NTUSER\Software\Microsoft\Terminal Server Client\Servers (Default.rdp file)
Filesystem locations to analyze source RDP lateral movement
Jumplists- \Users\AppData\Roaming\Microsoft\Recent\AutomaticDestinations folder
Prefetch- mstsc.exe
Bitmap- \Users\AppData\Local\Microsoft\Terminal Server Client\Cache folder
Name tools to parse the registry and bitmap files
RegRipper for registry, and bmc-tools.py for bitmap.
Where can I find Teamviewer in the filesystem?
Under Program Files
How can I block RDP?
For domain admin and service accounts, use Active Directory “Deny logon through Remote Desktop Services”. At host level, disable it and place firewall as well to deny inbound connections.
Registry and filesystem locations to analyze destination RDP lateral movement
Registry:
Rdpclip.exe & tstheme.exe-
[Shimcache] [Amcache]
Filesystem:
Rdpclip.exe & tstheme.exe-
[Prefetch]
What are the Windows share artifacts and give description about them
C$ shares drive volumne, Admin$ shares Windows folder, and IPC$ shares commonly used named pipes
What operational log can I identify failed logons with map sharing?
Microsoft-Windows-SmbClient%4Security.evtx. Event ID 31001
Registry locations to analyze source map sharing lateral movement
Net.exe & net1.exe:
[Shimcache][BAM/DAM][Amcache]
Look into shellbags- USRCLASS.DAT
Look into MountPoints2- NTUSER\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Filesystem locations to analyze for source map sharing lateral movement
Net.exe & net1.exe:
[Prefetch]
When looking into where the adversary went by observing MountPoints2, where else can I look to see what folders were accessed?
Shellbags
Since mapping is done through the source system, what command is used?
Net use
What type of logs are likely to be seen at destination system for map sharing?
SMB, NTLM protocol, and Kerberos protocol logs.
Filesystem locations to analyze destination map sharing lateral movement
File creation since malware is copied to the destination system. Look at modified timestamp before creation timestamp since creation is made at the time of copying.
What is required to do remote access for map sharing?
Domain admin priviledges or the built-in RID 500 account.
Name the execute malware commands methods used by adversaries to laterally move.
PsExec, Remote Management tools, Powershell Remoting, WMIC, vulnerability exploitation, and application deployment software.
Registry locations to analyze source PsExec for lateral movement
NTUSER.DAT- Software\SysInternal\PsExec\EulaAccepted
PsExec.exe:
[Shimcache][BAM/DAM][Amcache]
Filesystem locations to analyze source PsExec lateral movement
Psexec.exe
[Prefetch][Memory][Download]
When looking at the destination system for psexesvc.exe, what alternative logon Type can be found if the user adds “-u” command in the psexec.exe command?
Type 2 instead of 3. It will also create user profile and store tokens (a vulnerability if the tool is being used legitimately).