Section 2.3: Intrusion Analysis: Lateral Movement Tactics Flashcards

1
Q

Name 2 methods of lateral movement through malware copying and how is it beneficial to adversary.

A

Remote Desktop Services (RDP, VNC & Teamviewer) and Windows Admin shares. It helps them have tools on the remote system to do the techniques they need to do. Definitely expect RunAs logs on source systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Registry locations to analyze source RDP artifacts

A

Mstsc.exe artifact:
[System] Shimcache, BAM/DAM
[NTUSER.DAT] UserAssist, RecentApps
[AmCache]
–To track RDP destinations: NTUSER\Software\Microsoft\Terminal Server Client\Servers (Default.rdp file)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Filesystem locations to analyze source RDP lateral movement

A

Jumplists- \Users\AppData\Roaming\Microsoft\Recent\AutomaticDestinations folder
Prefetch- mstsc.exe
Bitmap- \Users\AppData\Local\Microsoft\Terminal Server Client\Cache folder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name tools to parse the registry and bitmap files

A

RegRipper for registry, and bmc-tools.py for bitmap.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where can I find Teamviewer in the filesystem?

A

Under Program Files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can I block RDP?

A

For domain admin and service accounts, use Active Directory “Deny logon through Remote Desktop Services”. At host level, disable it and place firewall as well to deny inbound connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Registry and filesystem locations to analyze destination RDP lateral movement

A

Registry:
Rdpclip.exe & tstheme.exe-
[Shimcache] [Amcache]
Filesystem:
Rdpclip.exe & tstheme.exe-
[Prefetch]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the Windows share artifacts and give description about them

A

C$ shares drive volumne, Admin$ shares Windows folder, and IPC$ shares commonly used named pipes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What operational log can I identify failed logons with map sharing?

A

Microsoft-Windows-SmbClient%4Security.evtx. Event ID 31001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Registry locations to analyze source map sharing lateral movement

A

Net.exe & net1.exe:
[Shimcache][BAM/DAM][Amcache]
Look into shellbags- USRCLASS.DAT
Look into MountPoints2- NTUSER\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Filesystem locations to analyze for source map sharing lateral movement

A

Net.exe & net1.exe:
[Prefetch]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When looking into where the adversary went by observing MountPoints2, where else can I look to see what folders were accessed?

A

Shellbags

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Since mapping is done through the source system, what command is used?

A

Net use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of logs are likely to be seen at destination system for map sharing?

A

SMB, NTLM protocol, and Kerberos protocol logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Filesystem locations to analyze destination map sharing lateral movement

A

File creation since malware is copied to the destination system. Look at modified timestamp before creation timestamp since creation is made at the time of copying.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is required to do remote access for map sharing?

A

Domain admin priviledges or the built-in RID 500 account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name the execute malware commands methods used by adversaries to laterally move.

A

PsExec, Remote Management tools, Powershell Remoting, WMIC, vulnerability exploitation, and application deployment software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Registry locations to analyze source PsExec for lateral movement

A

NTUSER.DAT- Software\SysInternal\PsExec\EulaAccepted
PsExec.exe:
[Shimcache][BAM/DAM][Amcache]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Filesystem locations to analyze source PsExec lateral movement

A

Psexec.exe
[Prefetch][Memory][Download]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When looking at the destination system for psexesvc.exe, what alternative logon Type can be found if the user adds “-u” command in the psexec.exe command?

A

Type 2 instead of 3. It will also create user profile and store tokens (a vulnerability if the tool is being used legitimately).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Psexesvc.exe will always start a what on its destination system?

A

A service. Look for its logs as well to track them.

22
Q

Describe what is going on in this command: psexec.exe \host -accepteula -u -e -d -c c:\temp\evil.exe

A

Source system ran psexec to host. It accepted eula so expect that on destination registry. “-u” will create user profile and “-e” will omit it (both optional). “-d” doesn’t wait for process termination. “-c” copies whatever file. Make sure to see the file timestamp to see connections to the psexec tool.

23
Q

In the destination system what object in memory analysis can I track the named pipes for psexesvc.exe?

A

Handles. The pipe will include the psexesvc name but adversaries can change it to whatever they please if they add “-r” to psexec command.

24
Q

Registry locations to analyze destination psexesvc lateral movement.

A

SYSTEM\CurrentControlSet\Services\PSEXESVC (-r command will change the name)
Psexesvc.exe:
[Shimcache][Amcache]

25
Q

Filesystem locations to analyze for destination psexesvc lateral movement

A

New user profile created if “-e” wasnt omitted.
Psexesvc.exe:
[Prefetch]
-find binary inside Windows folder thanks to Admin$

26
Q

Name the Windows Remote Management tools that can be used for lateral movement.

A

Sc (services)
at & schtasks (scheduled tasks)
reg (remote registry)
winrs (execute remote commands)

27
Q

What is going on in this command: sc \host create servicename binpath= “c:\temp\evil.exe”

A

A service was created at the remote system called evil.exe.

28
Q

What is going on in this command: at \host 13:00 “c:\temp\evil.exe”

A

A job or task is going to run evil.exe on the remote system at 1:00pm.

29
Q

What is going on in this command: winrs -r:host -u:user [command]

A

A remote system was logged into by a n available user to run commands. Search for winrshost.exe on remote system.

30
Q

What is going on in this command: reg add \host\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Data /t REG_SZ /d “C:\evil.exe”

A

A remote registry was added to remote system to run evil.exe as an AutoStart.

31
Q

Windows Remote Services tool source registry and filesystem locations to analyze for lateral movement.

A

Registry:
sc.exe:
[Shimcache][BAM/DAM][Amcache]
Filesystem:
sc.exe:
[Prefetch]

32
Q

Windows Remote Services tool destination registry and filesystem locations to analyze for lateral movement.

A

Registry:
\CurrentControlSet\Services\, [Shimcache][Amcache]
Filesystem:
[File Creation][Prefetch]

33
Q

Windows Remote Scheduled Tasks’ source registry and filesystem locations to analyze for lateral movement.

A

Registry:
at.exe & schtasks.exe
[Shimcache][BAM/DAM][Amcache]
Filesystem:
at.exe & schtasks.exe
[Prefetch]

34
Q

Windows Remote Scheduled Tasks’ destination event, registry, and filesystem locations to analyze for lateral movement.

A

For event: TaskSchedule%4Operational
Registry:
-Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
-Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\
[Shimcache][Amcache]
Filesystem:
- \Windows\Tasks, \System32\Tasks
at.exe & schtaskts.exe
[Prefetch]

35
Q

Registry and filesystem locations to analyze source WMI lateral movement.

A

Registry:
wmic.exe:
[BAM/DAM][Shimcache][Amcache]
Filesystem:
wmic.exe
[Prefetch]

36
Q

What command should analyst be on the lookout for when WMI remoting is being used?

A

“Process call”. It is similar concept to PsExec except it doesnt create a service.

37
Q

What event log can I look to look for WMI activity?

A

Microsoft-Windows-WMI-Activity%4Operational.evtx
Event Log IDs: 5857, 5860, & 5861

38
Q

Registry locations to analyze destination WMI lateral movement

A

scrcons.exe, mofcomp.exe, wmiprvse.exe:
[Shimcache][Amcache]

39
Q

Filesystem locations to analyze destination WMI lateral movement

A
  • C:\Windows\System32\wbem\Repository (use Powershell to audit for changes)
    File creation: evil.mof
    scrcons.exe, mofcomp.exe, wmiprvse.exe
    [Prefetch]
40
Q

What source event logs can I look up to find Powershell lateral movement?

A

WinRM&4Operational.evtx:
Event Log IDs: 6, 8, 15, 16, 33
Powershell%4Operational.evtx:
40691,40692, 8193, 8194, 8197

41
Q

Registry and filesystem locations to analyze source Powershell lateral movement

A

Registry:
Powershell.exe:
[Shimcache][Amcache][BAM/DAM]
Filesystem:
Powershell.exe:
[Prefetch]
Search for consoleHost_history.txt (records 4100 PS commands that were typed).

42
Q

What event log files can I use in the destination system to track powershell lateral movement.

A

Powershell&4Operational.evtx
4103, 4104, 53504
Windows Powershell.evtx
400/403, 800
Windows-WinRM&4Operational.evtx
91, 168

43
Q

Registry and filesystem locations to analyze destination Powershell lateral movement.

A

Registry:
Microsoft\Powershell\1\ShellIds\Microsoft.Powershell\ExecutionPolicy
wsmprovhost.exe
[Shimcache][Amcache]
Filesystem:
wsmprovhost.exe
[Prefetch]

44
Q

Why would adversaries have an objective to target the patch management systems?

A

They will be able to use application deployment software to distribute patches that can be malware to systems at a mass scale.

45
Q

How can an adversary target the patch management system in a cloud infrastructure?

A

Instead of it being a patch system, it is a cloud control panel. They can control and distribute anything they want through there, even delete data.

46
Q

How can an analyst monitor patch management/cloud control panel systems?

A

Accounts for these systems must be heavily monitored, creating unique accounts that aren’t domain can help, and deploying patches on known specific days or times can help identify deployments outside of routine.

47
Q

What are vulnerability exploits?

A

Applications that have been discovered that have vulnerabilities that can provide adversaries shell access or remote code executions.

48
Q

What are Remote Access Tools (RAT) and why is this malware used for lateral movement?

A

RAT tools are used by adversaries instead of LOTL tools simply because they offer faster lateral movement if they have discovered a vulnerability in the enterprise that allows them to run. They don’t trigger account logons since creds aren’t dumped.

49
Q

What are some examples of RAT tools

A

Poison Ivy, PlugX, Gh0stRat, webshells, Metasploit Meterpreter, and Cobalt Strike’s Beacon.

50
Q

What are some effective ways to detect malware-based lateral movement?

A

Watch for system crashes recorded in event logs. A/V, HIPS, and Exploit Guard can be effective as well. It also helps to monitor new processes in the logs.